Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Confluence license renewal: XSRF check failed

Diana Dämmrich
Denis Pramme February 5, 2019

Hello folks,

 

we have some trouble while getting the new confluence license (renewal) to use.

 

Setup:

Confluence instance (6.7.1) on premise (subdomain.example.com/confluence) with Apache proxy behind a reverse proxy (for internet access), and https path is enforced (via the Apache proxy).

Scheme (https), proxy details (subdomain.example.com) and so on in server.xml have been entered correctly.

 

But now while trying to enter the new license key in admin center, the XSRF-Check fails.

We already tried if a slightly changed proxy (subdomain.example.com/confluence) but it didn't help either.

 

So the here on the forums most given answers / sources to the XSRF-problem didn't help us.

(https://confluence.atlassian.com/kb/cross-site-request-forgery-csrf-protection-changes-in-atlassian-rest-779294918.html

https://community.atlassian.com/t5/Confluence-questions/License-update-quot-XSRF-check-failed-quot/qaq-p/1477

https://community.atlassian.com/t5/Confluence-questions/XSRF-check-failed-on-Confluence/qaq-p/616998

https://community.atlassian.com/t5/Confluence-questions/XSRF-check-failed-wile-replacing-evaluation-license-in/qaq-p/871322

https://community.atlassian.com/t5/Bitbucket-discussions/License-update-quot-XSRF-check-failed-quot/td-p/679211)



Can you provide us with another idea?

Or is it possible to deativate the XSRF-check? (i know that's not a good idea - but i wan't to get it done).

Answer
Watch
Like Be the first to like this
2606 views

2 answers

1 accepted

0 votes
Answer accepted
Diana Dämmrich
Denis Pramme February 7, 2019

Eureka!

 

The solution was all the time right before our very eyes...

 

Apparently the XSRF check uses the webservers and webbrowsers referer ability. But for security reasons we deactivated website referer in some of our webserver configurations and this way there have been no referer headers at all.

So obvious XSRF check can't work then *facepalm*.

 

Deacivating referer policy, update license, activating referer policy again - done, fine, thank you.

 

Best Regards,

Diana

Reply
1 vote
Shannon S
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 6, 2019

Diana,

So the suggestions from License update "XSRF check failed" didn't help, including connecting to the server directly bypassing the proxy, or disabling XSRF token?

Confluence requires an XSRF token to be present on comment creation, to prevent users being tricked into unintentionally submitting malicious data. All the themes bundled with Confluence have been designed to use this feature. However, if you are using a custom theme that does not support this security feature, you can disable it.

(warning) Please carefully consider the security risks before you disable XSRF protection for comments in your Confluence installation.

Read more about XSRF (Cross Site Request Forgery) at cgisecurity.com.

To configure XSRF protection for comments:

  1. Choose the cog icon , then choose General Configuration
  2. Choose Security Configuration in the left-hand panel.
  3. Choose Edit.
  4. Uncheck the Adding Comments checkbox in the XSRF Protection section, to disable XSRF protection.
  5. Choose Save.

It was mentioned on the article but you hadn't mentioned the results of that, so please let me know which suggestions you tried already and what were the results of that.

Shannon

View More Comments
Diana Dämmrich
Denis Pramme February 7, 2019

Dear Shannon,

 

thank you for your answer.

 

Bypassing the proxy would have a lot of implications due to our network setup, so any other solution is preferred.

 

That is to say disabling the "XSRF protection for comments" will also have an effect on the license input field? We thought it would work "for comments" only but not global. Ok we will try that option and let you know it it worked out.

Like
Diana Dämmrich
Denis Pramme February 7, 2019

Hello again,

 

unfortunately disabling the XSRF protection for comments didn't help - the license input field performs the XSRF check nontheless.

 

Best Regards,

Diana

Like
Shannon S
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 7, 2019

Diana,

My apologies, I hoped that would have worked.

If I were you, I would just manually update the license, then you don't need to worry about the XSRF protection error right now.

However, you still want to fix the issue that is causing your XSRF issue. This means that something hasn't been set up properly with your proxy, and it can cause issues in the future.

I would recommend reviewing the following article and having a look at your server.xml to see how you set up the connector.

Regards,

Shannon

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events