OpenProject 8 Login Redirection Issue

Hi all,
after upgrading to OpenProject, users are not redirected anymore after login.
If you login is valid, the Login windows stays open on the browser with username and password as if the Login button was never pressed. (If not valid, there is the normal ‘password or user incorrect’ dialogue)
If you click Login again, you get an 422 error with this message (sorry, german):

Das Cross-Site Request Forgery Token konnte nicht verfiziert werden. Wenn Sie versucht haben, Daten auf mehreren Tabs oder Browsern abzuspeichern, schließen sie diese und laden diese Seite erneut um den Vorgang zu wiederholen.

There are no other tabs or whatever. The Server operates under a single Domain with valid SSL certificates, so no Cross Site requests as far as i can tell.
I tested this on two different UCS systems in different environments, same issue.

As a workaround, you can remove the /login part from the URL after clicking login, this brings you to your normal logged in user view and you can use OP without any problems.

Any ideas why the redirect after a successful login is not working?


Having the same problem. But basically it happens with all ‘creates’ in openProject.
After clicking save there is no feedback but the action is executed.
Is there a problem with response from the backend?
Has anyone found a solution?

found the issue!
The problem is that OP is by default configured to use HTTP for communication between apache and the Docker container. This makes OP try to redirect to http which is forbidden for security reasons, so no redirect happens at all.

Pity is that I configured my old installation to use https, so this was overwritten during the update to v8.

To solve this, go to the Administration -> System settings -> General -> Protocol and set it to HTTPS. Save the changes - done.



I can confirm that the workaround described by @Emilfelix has worked for me.

Best regards,

Hey @Emilfelix @gulden

I am using Ubuntu installation of Openproject with Postgres DB.

I am using nginx to make redirect to https, and am getting exactly the same error. What I see when clicking login is that a request is sent to which always fails, even if I set the System settings / Protocol to HTTPS.

Any ideas why that would be happening?

Thank you in advance.