Thanks for sharing this issue and providing the steps to reproduce it.
I could reproduce, and after investigating, it seems that the CSRF validation fails when there is a specific web context.
I will continue my investigations to see why the CSRF validation fails and hopefully correct it for version 9.6.
Clearing the cookies in the web browser worked on my side.
I had two cookies for the same domain because I first started the application without web context. So I had an XSRF-TOKEN cookie with path “/” and another with path “/sonarqube”.
Removing the cookies for path “/” solves the issue.
Also, cookies are automatically refreshed after a few days, so it will suddenly be working.
I know this topic is quite old but I’d like to confirm that this was the same issue for you:
Do you by any chance remember if you first started without web context?
Do you still reproduce this bug?