Sortarr setup cannot complete – CSRF validation failed (token-missing-cookie) during /setup POST

[Rijstkeizer]

Environment

Sortarr version
v0.8.5.1

Installation method
Docker (Unraid custom template)

Host OS
Unraid (Linux)

Access method
http://192.168.0.179:9595

Browser
Firefox (also reproduced in private window)

Container port mapping
9595 -> 8787

Persistent config path
/mnt/cache_nvme/appdata/sortarr

Description

During the initial setup wizard, clicking “Save and continue” always fails with:
CSRF validation failed

The server logs show:
reason: "token-missing-cookie"

This happens consistently even after:

• fresh container reinstall
• fresh browser session
• manual secret key seeding
• incognito window

The request reaches the server but the CSRF middleware rejects it because the session cookie is missing.

Relevant logs

Startup:
useradd warning: sortarr's uid 99 outside of the UID_MIN 1000 and UID_MAX 60000 range.
INFO sortarr: Security mode active: persistent-secret enforcement on, startup-fail enforcement on, unsafe-recovery=disabled, csrf-trusted-origins=0, session-cookie={secure-default:true,secure-override:auto,samesite:Lax,httponly:true}.
INFO waitress: Serving on http://0.0.0.0:8787

Failed setup submission:
WARNING sortarr: CSRF request rejected:
{
"method": "POST",
"path": "/setup",
"host": "192.168.0.179:9595",
"reason": "token-missing-cookie",
"remote_addr": "192.168.0.123",
"Origin": "http://192.168.0.179:9595",
"Referer": "http://192.168.0.179:9595/setup"
}

Configuration

Sortarr.env contents after startup:
TAUTULLI_METADATA_LOOKUP_LIMIT=-1
TAUTULLI_METADATA_LOOKUP_SECONDS=0
SORTARR_REQUIRE_PERSISTENT_SECRET_KEY=1
SORTARR_FAIL_STARTUP_ON_MISSING_SECRET_KEY=1

Secret key is provided via file:
SORTARR_SECRET_KEY_FILE=/config/secrets/secret_key

File exists at:
/mnt/cache_nvme/appdata/sortarr/secrets/secret_key

Permissions:
600
owned by 99:100

Steps to reproduce

1. Deploy container
2. Open http://:9595/setup
3. Enter Sonarr/Radarr URLs and API keys
   4, Click Save and continue

Result:
CSRF validation failed

Things already tried

• deleting and recreating container
• clearing browser cookies
• private browsing window
• manually seeding SORTARR_SECRET_KEY_FILE
• editing Sortarr.env
• accessing via IP and hostname

All produce the same result.

Expected behavior
Setup should complete and write configuration to Sortarr.env.

Actual behavior
Setup POST request fails CSRF validation due to token-missing-cookie, preventing initial configuration.

[Jaredharper1]

Thank you so much for the detailed report. It matches another recent report. I am working on getting this resolved right now, and should hopefully have an update for you today.

[Rijstkeizer]

Thanks, man. No rush! It was a mild annoyance :)

[Jaredharper1]

0.8.6 is now released, and this is one of the issues I most expect it to fix.

Please retest on 0.8.6 when you have a chance. If it still reproduces, please send:

• the exact URL you are using to access Sortarr
• /api/diagnostics/csrf
• /api/diagnostics/security-self-check
• the latest CSRF request rejected ... log line

[Rijstkeizer]

Thanks for the quick fix! Will check this out later, and provide feedback :)

[Akasiek]

I had the same issue and this update fixed it. Thank you!

[Jaredharper1]

Great news, and thanks for letting me know! I will leave this thread open until @Rijstkeizer has a chance to test things out.

[Rijstkeizer]

Sorry for the delay. I had some parity drive issues, and am currently waiting for the rebuild to finish. Once I'm in the clear, I will get back on it!

[Jaredharper1]

Don't be sorry at all, I totally understand. Nothing worse really! Take your time I am more than happy to leave this open until then.