ナレッジベース
公開されました Jun. 30, 2025

User did not provide a valid CSRF token Error

written-by

John Park

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Issue

  • Portlet Action requests intermittently returning a 403 error code. In the logs the following error message regarding invalid CSRF token gets printed whenever the 403 error is thrown. 

    "User [user_id] did not provide a valid CSRF token for com.liferay.portlet.SecurityPortletContainerWrapper"
  • When bypassing the web server to access the application server directly, the issue is not reproducible. 

Environment

  • DXP 7.4+

Resolution

Since the issue does not occur when removing the web server as a variable, the resolution will likely require a modification to the web server configurations. 

The following suggestions may be helpful to investigate:

  1. Verify the sticky sessions configuration to ensure requests from the same user are consistently routed to the same Liferay node. Examine Apache's configuration files (e.g., httpd.conf, mod_proxy_balancer configuration) for any inconsistencies or errors related to session stickiness, particularly focusing on how the `JSESSIONID` cookie is handled.
  2. Ensure the configuration aligns with Liferay's requirements for clustered environments, especially concerning the `virtual.hosts.valid.hosts` property in portal-ext.properties. Pay close attention to the interaction between Apache and Liferay's CSRF token generation and validation mechanisms. Look for any discrepancies in the handling of the `p_auth` parameter across requests. A common misconfiguration is an inconsistency in the domain setting for the `JSESSIONID` cookie between Apache and Liferay.

 

did-this-article-resolve-your-issue

ナレッジベース