XSRF Security Token Missing

Kristin Bitler July 24, 2017

XSRF Security Token Missing error message when clicking some links

End users suddently unable to view their tickets from email links

JIRA Administrators to "Refer to this page (https://confluence.atlassian.com/jira060/disabling-form-token-checking-370705161.html) does not have information, nor does the link within the page explain how to disable the token. Our users require our tokens via a gate to view JIRA and this is suddenly creating an issue. We haven't upgrading JIRA or made any configuration changes that would suddenly create this issue.

1 answer

1 vote
somethingblue
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 25, 2017

Hi Kristin,

Does this happen if they view the ticket directly or does it only happen when it is viewed from an email link?

This can happen if there is a proxy configured in front of the server using HTTP Basic Authentication (mod_auth_basic) due to the fact that versions 2.10+ don't support sessions for HTTP basic authentication.  We explicitly invalidate the HTTP session at the end of every request which uses basic authentication for scalability since we don't want Tomcat holding a possibly large amount of sessions that were created having serving only one request. As a result, anything which relies on sessions to work (e.g. XSRF protection) will no longer work.  

A misconfiguration of the Tomcat connector can cause this. Specifically, if an insecure connector incorrectly contains the secure="true" attribute and value.

When running multiple Atlassian products on the same server using the same domain and only differentiating by port number. Java web applications identify your session by setting a cookie in your browser. This cookie is bound to the hostname and path that each application is deployed to, but ignores the port. Applications that reside at URLs where only the port is different may unintentionally overwrite each other's session information, resulting in lost sessions.

There is an article titled XSRF Security Token Missing that can help you narrow this down a bit more.  While it doesn't refer to JIRA the principle is the same.  If you need to change the JIRA context path you can find the instructions in Add a context path for JIRA.

I would also refer to the communities post "XSRF Security Token Missing" On almost every action on a ticket for the method they used to turn off the form checking.

 

Cheers,

Branden

Kristin Bitler July 25, 2017

It appears the XSRF and viewing a JSD ticket via the email link are two separate issues. 

The XSRF issue was limited to just myself may have been related to a cookie. Restarting my system may have resolved this issue but I won't be certain for a few hours.

I verified with our dev team and our JIRA/proxy settings are correct.

The email link issue is potentially caused from an email config change and is being researched now.

Thank you for the above information. It was valuable.

Thanks,

Kristin

somethingblue
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 25, 2017

No problem.  Hopefully you won't see this re-occur!

 

Suggest an answer

Log in or Sign up to answer