Banshee CSRF error - suggestion

28 September 2014, 13:46

Hiawatha version: 9.7
Operating System: raspian (Debian clone for Raspberry Pi)

Hi Hugo!

I am running aHiawatha web server with Banshee on the c-r-e-d-i-t-card sized
Raspberry Pi computer. It is externally accessible via a port forwarding
rule in the router, the dynamic IP of the router handled by
To simplify the server address, it can be reached via a CNAME record from
my site at a web hotel.
This leads to a rather complicated chain of redirections: =>(CNAME) =>(Webhop) cdir.dserver,
Banshee does not like this, and givs me a CSRF error when I want to log in.

However, I solved this with two changes:
In website.conf I added a line:
In security.php I added after line 64:
$website_aliases = explode(",",str_replace("\w","",WEBSITE_ALIASES));
$valid_hostnames = array_merge($valid_hostnames, $website_aliases);

Maybe someone else can be helped by this?
(Of course, all server, dir and port names are cloaked here)

Best regards, and thanks for the nice systems,
Peter Kling
Hugo Leisink
30 September 2014, 08:42
What you can try is to make the hostname that's used in the browser the first hostname in your webserver configuration. The first hostname will be used for the HTTP_HOST CGI environment variable which Banshee uses to check for an CSRF attack (by matching it with HTTP_REFERER).
This topic has been closed.