XSRF Security Token Missing

XSRF Security Token Missing error message when clicking some links

End users suddently unable to view their tickets from email links

JIRA Administrators to "Refer to this page (https://confluence.atlassian.com/jira060/disabling-form-token-checking-370705161.html) does not have information, nor does the link within the page explain how to disable the token. Our users require our tokens via a gate to view JIRA and this is suddenly creating an issue. We haven't upgrading JIRA or made any configuration changes that would suddenly create this issue.

1 answer

1 vote

Hi Kristin,

Does this happen if they view the ticket directly or does it only happen when it is viewed from an email link?

This can happen if there is a proxy configured in front of the server using HTTP Basic Authentication (mod_auth_basic) due to the fact that versions 2.10+ don't support sessions for HTTP basic authentication.  We explicitly invalidate the HTTP session at the end of every request which uses basic authentication for scalability since we don't want Tomcat holding a possibly large amount of sessions that were created having serving only one request. As a result, anything which relies on sessions to work (e.g. XSRF protection) will no longer work.  

A misconfiguration of the Tomcat connector can cause this. Specifically, if an insecure connector incorrectly contains the secure="true" attribute and value.

When running multiple Atlassian products on the same server using the same domain and only differentiating by port number. Java web applications identify your session by setting a cookie in your browser. This cookie is bound to the hostname and path that each application is deployed to, but ignores the port. Applications that reside at URLs where only the port is different may unintentionally overwrite each other's session information, resulting in lost sessions.

There is an article titled XSRF Security Token Missing that can help you narrow this down a bit more.  While it doesn't refer to JIRA the principle is the same.  If you need to change the JIRA context path you can find the instructions in Add a context path for JIRA.

I would also refer to the communities post "XSRF Security Token Missing" On almost every action on a ticket for the method they used to turn off the form checking.

 

Cheers,

Branden

It appears the XSRF and viewing a JSD ticket via the email link are two separate issues. 

The XSRF issue was limited to just myself may have been related to a cookie. Restarting my system may have resolved this issue but I won't be certain for a few hours.

I verified with our dev team and our JIRA/proxy settings are correct.

The email link issue is potentially caused from an email config change and is being researched now.

Thank you for the above information. It was valuable.

Thanks,

Kristin

No problem.  Hopefully you won't see this re-occur!

 

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Julia Dillon
Posted Apr 17, 2018 in Jira

Tell us how your team runs on Jira!

Hey Atlassian Community! Today we are launching a bunch of customer stories about the amazing work teams, like Dropbox and Twilio, are doing with Jira. You can check out the stories here. The thi...

815 views 2 19
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you