Seeing CSRF Attack Error when JSESSIONID is Changed
When using Confluence earlier than 3.3.x, the
delete label link does not work in all themes except for the Left Navigation Theme. The following appears in the
ERROR [TP-Processor9\] [org.directwebremoting.dwrp.Batch\] error A request has been denied as a potential CSRF attack. -- referer: http://Confluence_URL/display/xxx/pagename \| url: /dwr/call/plaincall/SuggestedLabelsForEntity.viewLabels.dwr \| userName: user
- Page editor is fully or partially unusable and it may display the text "Draft saving timed out" on top of the text area
The error was thrown by the DWR library, which is used by Confluence prior to version 3.3.x for AJAX interaction. The reason being the JSESSIONID used by Confluence is different than it was before, triggering a security response as a result. This means that all Confluence themes (except for Left Navigation Theme) will be affected because they use the DWR library.
There are reported cases where JSESSIONID can be changed when using Weblogic and WebSphere. Incidents when using Standalone installation was also reported but it was related to certain proxy / web server configuration.
Upgrade to Confluence 3.3.x or later as DWR is no longer used in Confluence 3.3.x onwards.
See the relevant bug report at Seeing CSRF Attack Error when JSESSIONID is Changed for a more detailed description.