I am facing 403 Forbidden exceptions whenever /c/portal/expire_session or /c/portal/extend_session (and some others) are invoked. This happens regularly even when no user is logged in (since the guest user also retains a session).
I switched off automatic session extension in Liferay on purpose (session.timeout.auto.extend=false, session.timeout.redirect.on.expire=true).
I am using Liferay 6.2 CE GA5 bundled with Tomcat 8.5. It is more or less a plain setup (no extra filters, just some custom portlets and hooks).
MS Edge Developer console:
HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfill it. (XHR)POST - https://xxxxx:8443/c/portal/expire_session
Tomcat access logs:
[21/Nov/2018:09:23:54 +0100] "POST /c/portal/expire_session HTTP/1.1" 403 -
Tomcat connector:
<Connector
URIEncoding="UTF-8"
connectionTimeout="20000"
maxPostSize="20971520"
port="8443"
protocol="HTTP/1.1"
scheme="https"
server="May the eHealth Solutions be with you"
secure="true"
SSLEnabled="true"
SSLVerifyClient="none"
SSLProtocol="TLSv1.2"
SSLCertificateFile="${catalina.home}/conf/localhost.crt"
SSLCertificateKeyFile="${catalina.home}/conf/localhost.key"
SSLCACertificateFile="${catalina.home}/conf/localhost.crt"
SSLHonorCipherOrder="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>
Any ideas and suggestions highly welcome!
Thx and Cheers Stefan
Just because I hate unanswered questions:
The Problem was a CORS Filter which checked correctly for Content-Type within the request headers.
Liferay's AUI requests do not set this header (funny thing: Its only missing in MS Edge - Could not figure out why yet).
What I do now is setting the header in the prototype of AUI.IO like so:
AUI().IO.prototype._headers = {'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'text/plain;charset=UTF-8'};
Now, the request is not filtered out any more by the CORS filter.
Cheers Stefan