Symptoms

When using Confluence earlier than 3.3.x, the delete label link does not work in all themes except for the Left Navigation Theme. The following appears in the atlassian-confluence.log:

ERROR [TP-Processor9\] [org.directwebremoting.dwrp.Batch\] error A request has been denied as a potential CSRF attack.  -- referer: http://Confluence_URL/display/xxx/pagename \| url: /dwr/call/plaincall/SuggestedLabelsForEntity.viewLabels.dwr \| userName: user

• Page editor is fully or partially unusable and it may display the text "Draft saving timed out" on top of the text area

Causes

The error was thrown by the DWR library, which is used by Confluence prior to version 3.3.x for AJAX interaction. The reason being the JSESSIONID used by Confluence is different than it was before, triggering a security response as a result. This means that all Confluence themes (except for Left Navigation Theme) will be affected because they use the DWR library.

There are reported cases where JSESSIONID can be changed when using Weblogic and WebSphere. Incidents when using Standalone installation was also reported but it was related to certain proxy / web server configuration.

Resolution

Upgrade to Confluence 3.3.x or later as DWR is no longer used in Confluence 3.3.x onwards.

See the relevant bug report at Seeing CSRF Attack Error when JSESSIONID is Changed for a more detailed description.