Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

Need to hide Liferay Auth token as it is visible in Page source

Written By

Amit Tiwari

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • When using the burp suite tool to intercept traffic, the Liferay Auth token is visible in the Page Source, which could make the environment vulnerable in the user's view.

Environment

  • Liferay DXP 7.0+

Resolution

  • This observed behavior is expected and poses no security risk. The reasoning for this is as follows: One can't hide the Liferay Auth Token as it is required to make authenticated REST/JSONWS calls back to their Liferay. How it works is this:
    1. The browser makes a call to their Liferay instance.
    2. The application server creates a new HttpSession and stores the p_auth token value there.
    3. Liferay passes back the p_auth token to the browser to make authenticated REST/JSONWS calls back to their Liferay. something Liferay depends upon for API access, partial page rendering, etc.
    4. As those calls reach Liferay, the value in the p_auth token is compared to the value in the HttpSession.
    5. If the token value does not match, the error is returned (either 403 or 404).
    6. If the token does match, the service call goes through and will return the requested data.
  • The key here is the application server’s role in creating an HttpSession. Each new browser session with Liferay will get a unique JSESSIONID value that the application server uses to connect an incoming request to an existing HttpSession, and for the first time access a new HttpSesssion is created and the JSESSIONID browser session cookie is returned. The JSESSIONID cookie is HttpOnly, meaning that browser scripts cannot see the cookie or use it in nefarious ways (i.e. making REST/JSONWS calls to the backend using someone’s p_auth token value). So a bad guy using someone else’s p_auth token would get a new HttpSession on the server side and it would not have the same p_auth value as the incoming token which confirms that this is not a security risk.
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?