Last Modified Date: 28 Oct 2016
ResolutionNo action necessary, this behavior is by design.
CauseFor protection, the session_id cookie has HttpOnly in place. Authentication cannot be completed with the XSRF-TOKEN alone and is successful only when XSRF-TOKEN is paired with the protected session_id cookie.
Additional InformationSee Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet at the Open Web Application Security Project for more information about Double Submit Cookies.
Thank you for providing your feedback on the effectiveness of the article.
Open new Case
Training and Tutorials