Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

User did not provide a valid CSRF token Error

Written By

John Park

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • Portlet Action requests intermittently returning a 403 error code. In the logs the following error message regarding invalid CSRF token gets printed whenever the 403 error is thrown. 

    "User [user_id] did not provide a valid CSRF token for com.liferay.portlet.SecurityPortletContainerWrapper"
     
  • When bypassing the web server to access the application server directly, the issue is not reproducible. 

Environment

  • Quarterly Release
  • DXP 7.4

Resolution

Since the issue does not occur when removing the web server as a variable, the resolution will likely require a modification to the web server configurations. 

The following suggestions may be helpful to investigate:

  1. Verify the sticky sessions configuration to ensure requests from the same user are consistently routed to the same Liferay node. Examine Apache's configuration files (e.g., httpd.conf, mod_proxy_balancer configuration) for any inconsistencies or errors related to session stickiness, particularly focusing on how the `JSESSIONID` cookie is handled.
  2. Ensure the configuration aligns with Liferay's requirements for clustered environments, especially concerning the `virtual.hosts.valid.hosts` property in portal-ext.properties. Pay close attention to the interaction between Apache and Liferay's CSRF token generation and validation mechanisms. Look for any discrepancies in the handling of the `p_auth` parameter across requests. A common misconfiguration is an inconsistency in the domain setting for the `JSESSIONID` cookie between Apache and Liferay.

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?