Troubleshooting
Problem
Cause
Diagnosing The Problem
[1/5/17 12:04:51:111 CDT] 000000e0 SessionFactor E Possible Cross-Site Request Forgery Attack. Request URL: https://9.99.9.99:9443/ibm/iis/igc HTTP Referer Header: https://server_abcd/lineageUIService?iis=https://9.99.9.99:9443/ibm/iis/igc"
[1/5/17 12:04:51:116 CDT] 000000e0 SessionFactor E com.ibm.iis.isf.security.impl.SessionFactory isXsrfSafe Possible Cross-Site Request Forgery Attack. Request URL: https://9.99.9.99:9443/ibm/iis/igc HTTP Referer Header: https://server_abcd/lineageUIService?iis=https://9.99.9.99:9443/ibm/iis/igc.
Resolving The Problem
If you need to turn it off, run the iisAdmin command to set com.ibm.iis.isf.security.RefererCheckEnabled to false:
cd $IS_HOME/ASBServer/bin
./iisAdmin.sh -set -key com.ibm.iis.isf.security.RefererCheckEnabled -value false
Once the command completes successfully, confirm that the referer checker is turned off:
./iisAdmin.sh -d -key com.ibm.iis.isf.security.RefererCheckEnabled
The command output should show the key is set to false.
You must restart WebSphere for this change to take effect.
A fix has been provided in ISF 11.5 Rollup 6. Alternatively, 11.5 Fix Pack 2 can be installed.
After installing the fix, the check must be turned back ON, and a comma separated list of domain names to check against should be provided. The domain name is the string after the first dot character of the referer host name. For example, if the referer URL is https://fed.dev.company.com/pathname, then the domain name value is dev.company.com:
- ./iisAdmin.sh -set -key com.ibm.iis.isf.security.RefererCheckEnabled -value true
./iisAdmin.sh -set -key com.ibm.iis.isf.security.AllowedRefererDomainNames -value dev.company.com
Related Information
Was this topic helpful?
Document Information
Modified date:
04 April 2019
UID
swg21979949