XSRF_FAILURE_BAD_TOKEN when trying to perform some actions in Bamboo

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When attempting to start a build Plan or perform other actions in Bamboo, the following error message shows up:

(Auto-migrated image: description temporarily unavailable)

Environment

All Bamboo versions configured with a Proxy/Load Balancer.

Diagnosis

Once the XSRF token validation failed error appears, you can check the <BAMBOO_HOME>/logs/atlassian-bamboo.log file for more. Below are some examples of possible messages you may see:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Scheme: https Server: <BaseURL> Port: 443 URI: /builds/build/admin/triggerManualBuild.action Context path: /builds Servlet path: /build/admin/triggerManualBuild.action Path info: Query string: buildKey=<buildkey> Stack Trace: java.lang.IllegalArgumentException: XSRF Token Validation failed (XSRF_FAILURE_BAD_TOKEN). at com.atlassian.bamboo.ww2.interceptors.BambooXsrfTokenInterceptor.doIntercept(BambooXsrfTokenInterceptor.java:66) at com.atlassian.bamboo.ww2.interceptors.AbstractBambooInterceptor.intercept(AbstractBambooInterceptor.java:34) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com.atlassian.xwork.interceptors.AroundInterceptor.intercept(AroundInterceptor.java:25) ...
1 2024-02-23 11:41:56,426 WARN [http-nio-8085-exec-25 url: /bamboo/build/admin/restartBuild.action; user: <username>] [BambooXsrfTokenInterceptor] XSRF token validation failed in session:<session-id> due to XSRF_FAILURE_BAD_TOKEN

Cause

It has been observed that this particular error is thrown under a few conditions i.e. when the HTTP Request parameter (atl_token) does not match the XSRF token in the cookie. In other words, when the required security token associated with your browser session is not present, is corrupted, or cannot be detected. Since this is directly affected by Proxy/Load Balancer settings, please see more details in our Cross Site Request Forgery (CSRF). documentation.

Solution

Browser

  1. Use Incognito mode (or Private mode) on your browser and login to Bamboo and see if the same error appears. It could be that the error is caused by browser extensions or add-ons that may be manipulating the session variables and altering headers.

  2. If you do not see the error appearing in private mode, then do the following to fix it in normal mode:

    1. Clear your browser cache, cookies, locally stored content etc..

    2. Restart your browser and login to Bamboo.

    3. Attempt the action that was previously generating the error.

Proxy/Load Balancer

  1. Go to your Proxy/Load Balancer settings and make sure that the following flag is not in use:

    1 Header edit Set-cookie^(.*)$ $1;HttpOnly;Secure

    This flag is used to add the "HttpOnly" and "Secure" flags to all Set-Cookie headers in the HTTP response. We highly recommend checking it with your Proxy/Load Balancer provider for more details.

Updated on March 10, 2025
Platform
Data Center only
Product
Bamboo Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community