CSRF Security Errors
Problem
Using Tomcat 7, every request from the Escenic Community Expansion is rejected as a potential CSRF (cross-site request forgery) attack, resulting in this session error message:
A request has been denied as a potential CSRF attack
Solution
In Tomcat 7 the useHTTPOnly
option is set to
true
by default, and this setting is not supported by
the Escenic Community
Expansion's qualification module. To fix the
problem, edit Context.xml
in your Tomcat
installations conf
directory and set
useHttpOnly
to false
:
<Context useHttpOnly=false >