Query Console SECURITY-BADREQUEST Invalid CSRF token error
31 May 2017 07:56 PM
This article explains why you may encounter Cross-Site Request Forgery (CSRF) error (SECURITY-BADREQUEST) when using MarkLogic Server's Query Console application and how the issue can be resolved.
Since the 8.0-6 release of MarkLogic Server, the security of Query Console is increased. Every time you load the application in the browser, there is a handshake between the browser and server, generating a secure CSRF token for the logged in user. This pairs the client with the server, allowing for secure communication. If another person logs into Query Console as the same user, their browser will perform another handshake, generating a new token and storing it on the server for that user. The other user whom was previously paired with the server will now have the wrong token and will see that CSRF error when performing any actions in the app that make a request to the server, until they refresh.
MarkLogic is implementing the industry standard recommendation for CSRF. At this time, there is no option to disable this security feature.
Best practice would be to create a new user on MarkLogic Server for each person using the system. The "qconsole-user" role is enough to use the Query Console application. If they must be administrators, you can give them the "admin" role, but note that with this special role, the user will have the authority to perform any activity in MarkLogic Server, including adding or deleting users, adding or deleting documents, changing passwords, and so on.