Getting an error "anti-CSRF token validation failed (1013)"

Knowledge Article

Article Number

000220694

Old Article Number

000160954

Article Type

FAQ/Procedural

Title

Getting an error "anti-CSRF token validation failed (1013)"

Summary

Getting an error "anti-CSRF token validation failed (1013)" 18.08,18.05

Product

MyIT Digital Workplace

Component

Applies to

MyIT 18.02 and lower or MyIT 18.05 and higher if they use same instance of Tomcat

Question

STEPS TO REPRODUCE:
1. Open Digital Workplace
2. Open Smart IT in a different tab
3. Go back to digital workplace and raise a request.

ACTUAL RESULTS:
Issue1: Getting an error "anti-CSRF token validation failed (1013) in MyIT"
Issue2: Magnifying glass and user icon on the right upper corner does not appear in Smart IT.

EXPECTED RESULTS:
Error should not be appear while submitting a request when Smart IT and MyIT are open in same browser.

It seems it occurs when we both digital workplace and smart it open in the same browser.

Answer

This knowledge article may contain information that does not apply to version 21.05 or later which runs in a container environment. Please refer to Article Number 000385088 for more information about troubleshooting BMC products in containers.

CSRF errors when submit SRD is reproducible if you login first to DWP and then login to SmartIT.
For the scenario with login to SmartIT and then to DWP it’s not reproducible.

The root cause of this behavior is refactoring of CSRF token check made by SmartIT
https://github.bmc.com/SmartIT/backend/pull/574

As a result of the refactoring XSRF-TOKEN cookie is added to the SmartIT user’s browser session.
The latest version of Chrome, Firefox and IE is accepting this cookie on priority basis and after login to SmartIT it immediately
becomes “injected” to DWP session in UC but on the backend side it’s still having DWP user’s generated token.

Currently there are possible workaround with this if DWP and SmartIT are on the same Tomcat:
-Login to SmartIT first and then login to DWP;
-Login to SmartIT on the private browser session;

General suggestion is to use the same browser for SmartIT/DWP and if this issue occur is log out from the DWP and login again to refresh CSRF token on the DWP Server.

If above isnt suitable then you can handle this situation using reverse proxy as below,
Example:
Two different beginnings of URIs for DWP and Smart IT are used like dwp.calbro.ch and smartit.calbro.ch. The idea is to provide very easy URIs to the end users like dwp.calbro.ch and smartit.calbro.ch and forward them via proxy to the right DWP and Smart IT application like:

https://dwp.calbro.ch
forwarded to
https://dwp.calbro.ch/ux/myitapp

https://smartit.calbro.ch
forwarded to
https://smartit.calbro.ch/ux/smart-it

To solve the issue, change the proxy configuration like:

https://smartit.calbro.ch
forwarded to
https://dwp.calbro.ch/ux/smart-it

Then DWP and Smart IT will run with the same identical starting URI and both issues "anti-CSRF token validation failed (1013)" and “Magnifying glass and user icon on the right upper corner does not appear in Smart IT.” will be solved,

https://dwp.calbro.ch/ux/myitapp

https://dwp.calbro.ch/ux/smart-it

Attachment(s):