Wrong CSFR in request

I’m using SonarQube 7.7 Community Edition. I’m trying to install SonarQube behind Apache 2.4. I’m using Apache 2.4 as a SSL proxy.

I just have edited two properties in sonar.properties


All works fine in http://myip:19000/sonarqube, but when I configure SonarQube behind Apache 2.4, with this httpd.conf:

<VirtualHost _default_:443>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /sonarqube http://myip:19000/sonarqube
ProxyPassReverse /sonarqube http://myip:19000/sonarqube

and I try to login in https://myip/sonarqube and I try to edit a form (with a POST request)… then SonarQube close my session and throws a logout. If I search in the SonarQube log I see:

DEBUG web[AWtV1ddZzkIdcMqWAAAZ][auth.event] login failure [cause|Wrong CSFR in request][method|JWT][provider|LOCAL|local][IP|xxx.xxx.11.34|xxx.xxx.47.63][login|AWtLPuNDxAaJINzP5NvF]

What am I doing wrong? Thanks in advance

1 Like

Usually, this means a cookie is getting touched by the proxy (;HTTPOnly appended, ;Secure appended) and this shouldn’t be done, SonarQube handles doing this when appropriate.

Could this be the case with your proxy setup?

I believe that proxy is not touching cookies. I have two cookies: JWT_SESSION y XSRF-TOKEN. Both appear to have the same configuration.

I find in documentation https://docs.sonarqube.org/latest/setup/operate-server

To run the SonarQube server over HTTPS, you must build a standard reverse proxy infrastructure.

The reverse proxy must be configured to set the value X_FORWARDED_PROTO: https in each HTTP request header. Without this property, redirection initiated by the SonarQube server will fall back on HTTP.

But I do not know if I have to do this and also I do not know how I have to do this. I try to add this line in Apache VirtualHost configuration:

RequestHeader set X-Forwarded-Proto https

but does not work :frowning:

The issue you’re encountering is because the cookie XSRF-TOKEN has his attribute HttpOnly set to true, whereas it should be set to false.

There’s probably something in your configuration that set all HttpOnly attributes to true. You need to update this in order to let this value to false for XSRF-TOKEN.


can I disable this httponly flag in sonarqube configuration? how?

I dont know why but my Apache SSL configuration had a line:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure


I have replace this line with:

Header edit Set-Cookie ^(.*)$ $1;Secure

and SonarQube works! Thanks



Just to wrap this up — SonarQube will automatically append the Secure flag to cookies when it’s being served over SSL, so feel free to simplify your configuration further if you want.

Since I spend half a day trying to figure this out, and his is the top google result for this issue, I’m adding this note maybe it helps someone else:

If your first attempt to use a reverse proxy did not include a subdirectory (sonar.web.context was not set) and then you added it, you might end up with 2 of XSRF-TOKEN and JWT-SESSION one with the path /sonarqube (or whatever sonar.web.context you use) and another for /, delete the ones for / and everything will start working

I can confirm the problem and resolution is right.

In my case there was a problem with a session cookie that has been modified ( by F5 dns server) setting the HttpOnly flag to true.

Due to this problem, after every POST request in sonar application (like create project, change credential, etc…) the screen goes back to login page. Show my screenshot with F12 debug.

It wiill start to work again after change the F5 cookie flag modification, like that:

Examine the XSRF-TOKEN HttpOnly flag and remove it, verify your web server´s configuration or any another security layers that may be in place apart from the Sonar application.