Grouper Users - Open Discussion List

[Shaun Koh <>]

Hi there,

 

We’ve run into an error when attempting to access the UI that says `Maybe your session timed out and you need to start again. This should not happen under normal operation. CSRF error.`.

 

We use Shibb SSO for our authN and from the debug/error logs, it seems that users are being successfully matched against subjects in the DB though the redirect to /grouper/grouperUi is being marked as a potential CSRF attack apparently due to missing token in the request:

 

2016-11-03 17:02:40,432: [http-8080-3] DEBUG GrouperUiFilter.remoteUser(638) -  - httpServletRequest.getRemoteUser(): null, UOAid header: ${some_user_id}, remoteUser overall: ${some_user_id},

2016-11-03 17:02:40,433: [http-8080-3] INFO  EventLog.info(156) -  - [ccc13c1558c14e6f8d9eb7bb0892c8ac,'GrouperSystem','application'] session: start (1ms)

2016-11-03 17:02:40,433: [http-8080-3] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/index.jsp

2016-11-03 17:02:40,481: [http-8080-3] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperUi

2016-11-03 17:02:40,482: [http-8080-3] ERROR CsrfGuardLogger.log(47) -  - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:${some_ip}, method:GET, uri:/grouper/grouperUi, error:required token is missing from the request)

 

I’ve had a look at similar threads in the mailing lists though none of the solutions worked for us.

 

Also, this only happens in our DEV environment and not TEST which worked seamlessly until 2-3 days ago. -- I do not recall us making any changes that may have caused this issue.

 

Any help or suggestions would be much appreciated.

 

Best Regards,

Shaun K.