• Portlet Action requests intermittently returning a 403 error code. In the logs the following error message regarding invalid CSRF token gets printed whenever the 403 error is thrown. 

  "User [user_id] did not provide a valid CSRF token for com.liferay.portlet.SecurityPortletContainerWrapper"

   
• When bypassing the web server to access the application server directly, the issue is not reproducible. 

• Quarterly Release
• DXP 7.4

Since the issue does not occur when removing the web server as a variable, the resolution will likely require a modification to the web server configurations. 

The following suggestions may be helpful to investigate:

1. Verify the sticky sessions configuration to ensure requests from the same user are consistently routed to the same Liferay node. Examine Apache's configuration files (e.g., httpd.conf, mod_proxy_balancer configuration) for any inconsistencies or errors related to session stickiness, particularly focusing on how the `JSESSIONID` cookie is handled.
2. Ensure the configuration aligns with Liferay's requirements for clustered environments, especially concerning the `virtual.hosts.valid.hosts` property in portal-ext.properties. Pay close attention to the interaction between Apache and Liferay's CSRF token generation and validation mechanisms. Look for any discrepancies in the handling of the `p_auth` parameter across requests. A common misconfiguration is an inconsistency in the domain setting for the `JSESSIONID` cookie between Apache and Liferay.