|Applies To||RSA Product Set: Identity Governance & Lifecycle|
RSA Version/Condition: 6.9.1
|Issue||In RSA Identity Governance & Lifecycle, the following warning is encountered during login:|
No CSRF guard token was found in the submitted request
See the errors found in Admin Errors in the UI (Admin > Admin Errors):
The warnings below are found in the aveksaServer.log:
|Cause||Essentially any time you POST data to the product, and you have an active session, the posted data has to include a Cross Site scripting Forgery (CSRF) token that matches the one in your sessions.|
The first time you login, the POST for the login page doesn’t do this check, because you don’t have a session yet. If you log in successfully, we generate a secure random token and stick it in the session. We also include the token as a hidden value on all forms the product generates. From that point forward, as long as that session is active, any requests that come from the browser will include the token (because we put it in all the forms before serving them to the client), and we can match it to the session. Any POST that comes from somewhere else -- that is, not from the UI generated for this user by our product -- won’t have the token, and will fail.
If you are seeing this error on login, then it means the system thinks you already have a active session. You might be working in different tabs of the same browser or something like that or the session is still active.
This is the most common problem when a CSRF error is generated. And this is the logic that happens with CSRF token. In some cases, even if the session is terminated the token will be valid for a while and becomes invalid and in some cases the token becomes invalid once the session is terminated. But this doesn't create any harm in the environment.
|Resolution||If you are seeing this error on login, then it means the system thinks you already have an active session. You might be working in different tabs of the same browser or something like that or the session is still active.|