CSRF attack message thrown when JSESSIONID is changed

2009-05-20T18:05:44
ID ATLASSIAN:CONFSERVER-15779
Type atlassian
Reporter jlargman
Modified 2017-04-02T07:41:27

Description

{panel:bgColor=#e7f4fa} NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-15779]. {panel}

Symptoms: Anything that is using DWR will fail. Meaning: page editor is fully or partially unusable and it may display the text "Draft saving timed out" on top of the text area. At the same time, the following error messages are printed in the Confluence log: {noformat} 2009-05-15 08:06:36,011 ERROR [http-83.149.65.63:8443-10] [org.directwebremoting.dwrp.Batch] error A request has been denied as a potential CSRF attack. - referer: https://confluenceURL/pages/editpage.action?pageId=720900 | url: /dwr/call/plaincall/DraftAjax.getDraftSaveInterval.dwr | userName: admin {noformat}

Cause: 1). If you change the JSESSIONID in the Application configuration in Websphere (Application Server > serverName > Web Container > Session Management > Cookies), a message appears both in the UI and the logs:

"A request has been denied as a potential CSRF attack."

If for any reason the jessionid is different than "JSESSIONID", this error occurs. In Websphere, In a shared environment, the session IDs are modified to be unique to each JVM, so that each application can get the appropriate requests. Confluence throws this error under that condition.

2). It can also happen if proxy rewriting rules are interfering and changing the session id.

The workaround is to not change the Jsessionid or fix up the proxy rewrite rules.

The improvement request is to handle differently named jsessionids.