XSRF Security Token Missing
While creating a repository or a project in Stash, the action fails with the following message:
XSRF Security Token Missing Stash could not complete this action due to a missing or expired form token. You may have cleared your browser cookies, which could have resulted in the expiry of your current form token. A new form token has been issued. The original input has been captured and you can retry the operation. Any file attachments in the original input will be lost
This can happen if there is a proxy configured in front of Stash server using HTTP Basic Authentication (mod_auth_basic) due to the fact that versions 2.10+ don't support sessions for HTTP basic authentication. We explicitly invalidate the HTTP session at the end of every request which uses basic authentication for scalability since we don't want Tomcat holding a possibly large amount of sessions that were created having serving only one request. As a result, anything which relies on sessions to work (e.g. XSRF protection) will no longer work.
A misconfiguration of the Tomcat connector can cause this. Specifically, if an insecure connector incorrectly contains the secure="true" attribute and value.
When running multiple Atlassian products on the same server using the same domain and only differentiating by port number. Java web applications identify your session by setting a cookie in your browser. This cookie is bound to the hostname and path that each application is deployed to, but ignores the port. Applications that reside at URLs where only the port is different may unintentionally overwrite each other's session information, resulting in lost sessions.
You will experience these problems if you are running your Atlassian (or other Java) applications on the same URL path with the only difference between applications being the port. Examples are:
http://localhost:8080 and http://localhost:8090 http://your.domain.com:8080 and http://your.domain.com:8090
If running Stash Data Center, this can be caused by the load balance not using Sticky Sessions.
Disable the HTTP Basic Authentication within the proxy settings.
- Stop Stash.
- Remove the secure="true" attribute and value from:
- Start Stash.
Add a context path for Stash. Please see.
Enable sticky sessions (also known as session affinity) on the load balancer.