Spotfire Server : the request does not contain the required CSRF token

It may not be possible to access the Web Player due the following errors:

"Failed to load application"
"Could not load configuration"
"Could not load labels"

This may be seen as in the screenshot below



This could also manifest itself as a 403 Access Denied message in the browser.

Upon checking the server logs, as error similiar to below will be seen.

Spotfire Server and session cookies

When accessing the web player via a browser, a HTTP persistent session is established via a JSESSIONID cookie. Another cookie called XSRF-TOKEN is also issued which helps prevent CSRF (Cross Site Request Forgery) attacks.

These can be observed using the Developer Tools / Network in the browser.



Since this is a persisent session, these same two cookies (and values) will be seen in each subsequent request/response to the spotfire server URL. The server will respond with the same cookies/values and the client (browser) will include the same cookies/values in each request.

The error illustrated above means that a spotfire server has not received the correct value for the XSRF-TOKEN cookie that it originally issued at the start of the sesssion.

This issue can be resolved in the following ways

Multiple Spotfire servers in a load balanced configuration

In a load balanced configuration where there are two or more Spotfire servers, it must be ensured that a client session is routed to the same Spotfire server. Otherwise, the other Spotfire servers which are not aware of the issued XSRF token will generate this error.

This is acheived via session affinity (sticky sessions). Please check your load balancing documentation on how to implement this. The session affinity should be based on an application cookie. In this case it should be based on the application (Spotfire server) cookie JSESSIONID

For example in AWS, this can be configured on the Target Group Attributes

Cookies are being issued with the SameSite=None attribute

The following applies with even a single Spotfire server.

Chrome and Edge will not issue cookies if the cookie attribute SameSite is set to None and the Secure attribute is not set on the cookie. In other words the connection is not via HTTPS.

At the time of writing this does not apply to the Firefox browser, so different behaviour might be observed.

A default installation of Spotfire server will not set the SameSite attribute on any cookies. However if for some reason the SameSite=None attribute is being set on cookies via the set-config-prop command, then this issue will be encountered when accessing the Spotfire server URL via HTTP.

If there is a valid reason for this setting, then please contact Revvity support for assistance in resolving this issue. Otherwise, simply remove the cookie attribute declarations from the Spotfire configuration.

1) Export the server configuration (Linux users must run config.sh). This will dump the current configuration to a file called configuration.xml

config.bat export-config

2) Find the lines which decare the SameSite attribute and remove all three of them.

<cookies>
    <same-site>None</same-site>
</cookies>

3) Import the configuration back into Spotfire

config.bat import-config -C "Removed SameSite attribute from cookies"

4) Restart the Spotfire server.


Disabling CSRF protection

As mentioned earlier, disabling CSRF protection is not the correct solution for this issue in most scenarios. It could be done as a temporary or diagnostic step to troubleshooting the issue.

To implement, export the server configuration as above. Then issue the command

config.bat config-csrf-protection --enabled false

Finally, reimport the server configuration

config.bat import-config -c "Disabled CRF protection"

With this configuration the Spotfire server will still be issuing the XSRF-TOKEN cookie, but the check to make sure they are valid will be disabled.


If the issue persists, please contact Revvity support for further assistance.