Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

XSRF Security Token Missing

Kristin Bitler
Kristin Bitler July 24, 2017

XSRF Security Token Missing error message when clicking some links

End users suddently unable to view their tickets from email links

JIRA Administrators to "Refer to this page (https://confluence.atlassian.com/jira060/disabling-form-token-checking-370705161.html) does not have information, nor does the link within the page explain how to disable the token. Our users require our tokens via a gate to view JIRA and this is suddenly creating an issue. We haven't upgrading JIRA or made any configuration changes that would suddenly create this issue.

Answer
Watch
Like Alexandre Macedo likes this
7305 views

1 answer

1 vote
somethingblue
somethingblue
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 25, 2017

Hi Kristin,

Does this happen if they view the ticket directly or does it only happen when it is viewed from an email link?

This can happen if there is a proxy configured in front of the server using HTTP Basic Authentication (mod_auth_basic) due to the fact that versions 2.10+ don't support sessions for HTTP basic authentication.  We explicitly invalidate the HTTP session at the end of every request which uses basic authentication for scalability since we don't want Tomcat holding a possibly large amount of sessions that were created having serving only one request. As a result, anything which relies on sessions to work (e.g. XSRF protection) will no longer work.  

A misconfiguration of the Tomcat connector can cause this. Specifically, if an insecure connector incorrectly contains the secure="true" attribute and value.

When running multiple Atlassian products on the same server using the same domain and only differentiating by port number. Java web applications identify your session by setting a cookie in your browser. This cookie is bound to the hostname and path that each application is deployed to, but ignores the port. Applications that reside at URLs where only the port is different may unintentionally overwrite each other's session information, resulting in lost sessions.

There is an article titled XSRF Security Token Missing that can help you narrow this down a bit more.  While it doesn't refer to JIRA the principle is the same.  If you need to change the JIRA context path you can find the instructions in Add a context path for JIRA.

I would also refer to the communities post "XSRF Security Token Missing" On almost every action on a ticket for the method they used to turn off the form checking.

 

Cheers,

Branden

View More Comments
Kristin Bitler
Kristin Bitler July 25, 2017

It appears the XSRF and viewing a JSD ticket via the email link are two separate issues. 

The XSRF issue was limited to just myself may have been related to a cookie. Restarting my system may have resolved this issue but I won't be certain for a few hours.

I verified with our dev team and our JIRA/proxy settings are correct.

The email link issue is potentially caused from an email config change and is being researched now.

Thank you for the above information. It was valuable.

Thanks,

Kristin

Like
somethingblue
somethingblue
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 25, 2017

No problem.  Hopefully you won't see this re-occur!

 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.