Wrong CSFR in request

I’m using SonarQube 7.7 Community Edition. I’m trying to install SonarQube behind Apache 2.4. I’m using Apache 2.4 as a SSL proxy.

I just have edited two properties in sonar.properties


All works fine in http://myip:19000/sonarqube, but when I configure SonarQube behind Apache 2.4, with this httpd.conf:

<VirtualHost _default_:443>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /sonarqube http://myip:19000/sonarqube
ProxyPassReverse /sonarqube http://myip:19000/sonarqube

and I try to login in https://myip/sonarqube and I try to edit a form (with a POST request)… then SonarQube close my session and throws a logout. If I search in the SonarQube log I see:

DEBUG web[AWtV1ddZzkIdcMqWAAAZ][auth.event] login failure [cause|Wrong CSFR in request][method|JWT][provider|LOCAL|local][IP|xxx.xxx.11.34|xxx.xxx.47.63][login|AWtLPuNDxAaJINzP5NvF]

What am I doing wrong? Thanks in advance

Usually, this means a cookie is getting touched by the proxy (;HTTPOnly appended, ;Secure appended) and this shouldn’t be done, SonarQube handles doing this when appropriate.

Could this be the case with your proxy setup?

I believe that proxy is not touching cookies. I have two cookies: JWT_SESSION y XSRF-TOKEN. Both appear to have the same configuration.

I find in documentation https://docs.sonarqube.org/latest/setup/operate-server

To run the SonarQube server over HTTPS, you must build a standard reverse proxy infrastructure.

The reverse proxy must be configured to set the value X_FORWARDED_PROTO: https in each HTTP request header. Without this property, redirection initiated by the SonarQube server will fall back on HTTP.

But I do not know if I have to do this and also I do not know how I have to do this. I try to add this line in Apache VirtualHost configuration:

RequestHeader set X-Forwarded-Proto https

but does not work :frowning:

The issue you’re encountering is because the cookie XSRF-TOKEN has his attribute HttpOnly set to true, whereas it should be set to false.

There’s probably something in your configuration that set all HttpOnly attributes to true. You need to update this in order to let this value to false for XSRF-TOKEN.

1 Like

can I disable this httponly flag in sonarqube configuration? how?

I dont know why but my Apache SSL configuration had a line:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure


I have replace this line with:

Header edit Set-Cookie ^(.*)$ $1;Secure

and SonarQube works! Thanks

1 Like


Just to wrap this up — SonarQube will automatically append the Secure flag to cookies when it’s being served over SSL, so feel free to simplify your configuration further if you want.