Seeing CSRF Attack Error when JSESSIONID is Changed

Still need help?

The Atlassian Community is here for you.

Ask the community


When using Confluence earlier than 3.3.x, the delete label link does not work in all themes except for the Left Navigation Theme. The following appears in the atlassian-confluence.log:

ERROR [TP-Processor9\] [org.directwebremoting.dwrp.Batch\] error A request has been denied as a potential CSRF attack.  -- referer: http://Confluence_URL/display/xxx/pagename \| url: /dwr/call/plaincall/SuggestedLabelsForEntity.viewLabels.dwr \| userName: user
  • Page editor is fully or partially unusable and it may display the text "Draft saving timed out" on top of the text area


The error was thrown by the DWR library, which is used by Confluence prior to version 3.3.x for AJAX interaction. The reason being the JSESSIONID used by Confluence is different than it was before, triggering a security response as a result. This means that all Confluence themes (except for Left Navigation Theme) will be affected because they use the DWR library.

There are reported cases where JSESSIONID can be changed when using Weblogic and WebSphere. Incidents when using Standalone installation was also reported but it was related to certain proxy / web server configuration.


Upgrade to Confluence 3.3.x or later as DWR is no longer used in Confluence 3.3.x onwards.

See the relevant bug report at Seeing CSRF Attack Error when JSESSIONID is Changed for a more detailed description.

Last modified on Mar 30, 2016

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.