Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Is request-based p_auth token supported to prevent CSRF attack?

Written By

Emma Liu

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • To prevent CSRF attacks, Liferay provides options to enable authentication token security checks. The current token is session-based token. Is request-based p_auth token supported?

Environment

  • Liferay DXP 7.1

Resolution

  • Currently, the p_auth token is generated based on the user session. The request-based token is not supported.

Additional Information

  • There is an existing feature request ticket LPS-52088 about "Making the p_auth-token request-based instead of session-based". 
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?