{"id":39647,"date":"2025-07-23T20:25:00","date_gmt":"2025-07-23T18:25:00","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=39647"},"modified":"2026-02-25T21:21:19","modified_gmt":"2026-02-25T20:21:19","slug":"dctm-invalid-missing-xsrf-token-on-d2","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/","title":{"rendered":"Dctm – Invalid\/Missing XSRF token on D2"},"content":{"rendered":"\n

During an upgrade project to Documentum 23.4, I faced yet again another interesting behavior from D2. The Documentum Server upgrade happened properly for all components like the Connection Broker, Repositories, D2, etc\u2026 The OTDS was also setup and available\/working properly without too much trouble. However, the deployment of the D2 war file was a bit of another story.<\/p>\n\n\n\n

As usual, we try to make it so that Documentum and all its components are setup as securely as possible. From a WebServer point of view, that include a bunch of Best Practices that we add into our deployments \/ custom images (when using containers), and D2 isn’t without rest. One of such things is for example to setup the Tomcat and D2 application to work only with cookies that have the “secure<\/strong>” and “httpOnly<\/strong>” flags. That is done in a few locations, but in recent versions of D2, there is additional parameters to help control this kind of behavior inside the ESAPI.properties<\/strong> file.<\/p>\n\n\n\n

Note:<\/em><\/strong> there are often confusions about the “httpOnly<\/strong>” flag for cookies, so I think a quick reminder wouldn’t hurt. The “secure<\/strong>” flag means that the cookie can only be sent through HTTPS (except when using localhost), so it’s much harder to get access to it. The “httpOnly<\/strong>” one, contrary to his name, doesn’t mean that the cookie is only for HTTP communications, but it means that it cannot be accessed by client’s scripts like JavaScript. Therefore, sensitive cookies should have both flags, so that they go through the network securely and even when it arrives on the target client’s browser, its access is protected.<\/p>\n\n\n\n

Therefore, as a good practice, I went ahead and configured D2 as secure as I could, even before a 1st deployment, and that included these 4 parameters:<\/p>\n\n\n

\n[tomcat@d2-0 war_prep]$ grep -B1 -E "ForceHttpOnly|ForceSecure" WEB-INF\/classes\/ESAPI.properties\n# Force flags on cookies, if you use HttpUtilities to set cookies\nHttpUtilities.ForceHttpOnlySession=true\nHttpUtilities.ForceSecureSession=true\nHttpUtilities.ForceHttpOnlyCookies=true\n# Whlie doing a cross site access through https make the below flag to true \nHttpUtilities.ForceSecureCookies=true\n[tomcat@d2-0 war_prep]$\n<\/pre><\/div>\n\n\n
Once my D2 WAR file was ready and configured, I tried to deploy it on Tomcat. No errors\/issues during the deployment\/startup of D2. However, accessing the D2 UI ended up with a pretty and infinite loading logo of D2. You probably have all seen that happen at some point:<\/p>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
Nothing on the D2 logs (generated through the logback.xml<\/strong> or log4j2.properties<\/strong>), but on the Tomcat logs, I could see the stack related to that issue when I accessed the URL a few minutes after Tomcat was fully up&running:<\/p>\n\n\n
\n2025-07-08 14:25:56,379 UTC INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [$CATALINA_HOME\/webapps\/D2\/D2.war] has finished in [57,704] ms\n2025-07-08 14:25:56,382 UTC INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-jsse-nio-8080"]\n2025-07-08 14:25:56,400 UTC INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [57846] milliseconds\n2025-07-08 14:29:36,966 UTC SEVERE [https-jsse-nio-8080-exec-42] org.apache.catalina.core.ApplicationContext.log Key[type=com.emc.x3.server.services.labels.RpcLabelServiceImpl, annotation=[none]]: An RpcTokenException was thrown while processing this call.\n\tcom.google.gwt.user.client.rpc.RpcTokenException: Invalid RPC token (Missing XSRF token: not on request, client IP=xxx.xxx.xxx.xxx)\n\t\tat com.emc.x3.server.D2XsrfProtectedServiceServlet.validateXsrfToken(D2XsrfProtectedServiceServlet.java:33)\n\t\tat com.google.gwt.user.server.rpc.AbstractXsrfProtectedServiceServlet.onAfterRequestDeserialized(AbstractXsrfProtectedServiceServlet.java:66)\n\t\tat com.emc.x3.server.GuiceRemoteServiceServlet.processCall(GuiceRemoteServiceServlet.java:120)\n\t\tat com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:373)\n\t\tat com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)\n\t\tat jakarta.servlet.http.HttpServlet.service(HttpServlet.java:590)\n\t\tat jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)\n\t\tat com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:290)\n\t\tat com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:280)\n\t\tat com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:184)\n\t\tat com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:89)\n\t\tat com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)\n\t\tat org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)\n\t\tat org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)\n\t\tat com.emc.x3.portal.server.filters.authc.X3OTDSAuthenticationFilter.executeChain(X3OTDSAuthenticationFilter.java:1106)\n\t\tat org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)\n\t\tat org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:154)\n\t\tat org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)\n\t\tat org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)\n\t\tat org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)\n\t\tat org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:154)\n\t\tat org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)\n\t\tat org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:458)\n\t\tat org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:373)\n\t\tat org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)\n\t\tat org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)\n\t\tat org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)\n\t\tat org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:370)\n\t\tat org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:154)\n\t\tat com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)\n\t\tat com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)\n\t\tat com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)\n\t\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)\n\t\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)\n\t\tat com.emc.x3.portal.server.filters.X3SessionTimeoutFilter.doFilter(X3SessionTimeoutFilter.java:52)\n\t\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)\n\t\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)\n\t\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)\n\t\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)\n\t\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)\n\t\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)\n\t\tat org.apache.catalina.valves.StuckThreadDetectionValve.invoke(StuckThreadDetectionValve.java:185)\n\t\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)\n\t\tat org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:663)\n\t\tat org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:731)\n\t\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)\n\t\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)\n\t\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:397)\n\t\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)\n\t\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905)\n\t\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741)\n\t\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)\n\t\tat org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)\n\t\tat org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)\n\t\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)\n\t\tat java.base\/java.lang.Thread.run(Thread.java:840)\n<\/pre><\/div>\n\n\n
I checked that the XSRF token was indeed generated, and it appeared to be present in the request, at least as shown in the Browser’s Network traces (Developer Tools). It was being generated and forwarded by the browser with both the “secure<\/strong>” and “httpOnly<\/strong>” flags. So, what was the issue then? It took me a bit of time, but I could pinpoint the issue to the ESAPI.properties<\/strong> file and more specifically to the 4 properties I mentioned above, that control the flags of both cookies and sessions. To be exact, I expected the “httpOnly<\/strong>” flag for the cookies to be the issue, since it would hide the XSRF_TOKEN<\/strong> from JavaScript on the client-side. Keeping the content of the WAR file exploded folder the same, I tried to switch this 1 parameter back to false, which is the default value:<\/p>\n\n\n
\n[tomcat@d2-0 ~]$ esapi_file="$CATALINA_HOME\/webapps\/D2\/WEB-INF\/classes\/ESAPI.properties"\n[tomcat@d2-0 ~]$\n[tomcat@d2-0 ~]$ grep -B1 -E "ForceHttpOnly|ForceSecure" ${esapi_file}\n# Force flags on cookies, if you use HttpUtilities to set cookies\nHttpUtilities.ForceHttpOnlySession=true\nHttpUtilities.ForceSecureSession=true\nHttpUtilities.ForceHttpOnlyCookies=true\n# Whlie doing a cross site access through https make the below flag to true\nHttpUtilities.ForceSecureCookies=true\n[tomcat@d2-0 ~]$\n[tomcat@d2-0 ~]$ sed -i 's,\\(HttpUtilities.ForceHttpOnlyCookies\\)=true,\\1=false,' ${esapi_file}\n[tomcat@d2-0 ~]$\n[tomcat@d2-0 ~]$ grep -B1 -E "ForceHttpOnly|ForceSecure" ${esapi_file}\n# Force flags on cookies, if you use HttpUtilities to set cookies\nHttpUtilities.ForceHttpOnlySession=true\nHttpUtilities.ForceSecureSession=true\nHttpUtilities.ForceHttpOnlyCookies=false\n# Whlie doing a cross site access through https make the below flag to true\nHttpUtilities.ForceSecureCookies=true\n[tomcat@d2-0 ~]$\n<\/pre><\/div>\n\n\n
After a restart of Tomcat, the issue was completely gone and the login to D2 through the OTDS was working successfully\u2026 Since I could deploy D2-REST, D2-Smartview and D2-Config with all 4 ESAPI.properties<\/strong> parameter set to “true<\/strong>“, I asked OT if it was expected that only D2 has a problem with “HttpUtilities.ForceHttpOnlyCookies=true<\/strong>“. After a few days of exchange, I got the feedback that it’s not documented but it’s apparently required for D2 to NOT have the “httpOnly<\/strong>” flag because of the XSRF_TOKEN<\/strong>. They will see to create a KB for that topic (update: it was created and it’s available here: KB0845279<\/a>). If you really need to have both flags set, then you will not have any other choice than switching to the new UI, D2-Smartview.<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
During an upgrade project to Documentum 23.4, I faced yet again another interesting behavior from D2. The Documentum Server upgrade happened properly for all components like the Connection Broker, Repositories, D2, etc\u2026 The OTDS was also setup and available\/working properly without too much trouble. However, the deployment of the D2 war file was a bit […]<\/p>\n","protected":false},"author":20,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197,525],"tags":[3642,443,2609,3643,2321,771],"type_dbi":[],"class_list":["post-39647","post","type-post","status-publish","format-standard","hentry","category-application-integration-middleware","category-enterprise-content-management","tag-cookies","tag-d2","tag-documentum-2","tag-httponly","tag-secure","tag-tomcat"],"acf":[],"yoast_head":"\nDctm - Invalid\/Missing XSRF token on D2 - dbi Blog<\/title>\n<meta name=\"description\" content=\"D2 loads indefinitely when the cookies have the httpOnly flag set, which triggers a Missing XSRF token error on D2.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Dctm - Invalid\/Missing XSRF token on D2\" \/>\n<meta property=\"og:description\" content=\"D2 loads indefinitely when the cookies have the httpOnly flag set, which triggers a Missing XSRF token error on D2.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-23T18:25:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-25T20:21:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/07\/D2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1437\" \/>\n\t<meta property=\"og:image:height\" content=\"1127\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Morgan Patou\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@MorganPatou\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Morgan Patou\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/\"},\"author\":{\"name\":\"Morgan Patou\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\"},\"headline\":\"Dctm – Invalid\/Missing XSRF token on D2\",\"datePublished\":\"2025-07-23T18:25:00+00:00\",\"dateModified\":\"2026-02-25T20:21:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/\"},\"wordCount\":675,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/07\/D2-1024x803.png\",\"keywords\":[\"cookies\",\"D2\",\"Documentum\",\"httpOnly\",\"secure\",\"Tomcat\"],\"articleSection\":[\"Application integration & Middleware\",\"Enterprise content management\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/\",\"name\":\"Dctm - Invalid\/Missing XSRF token on D2 - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/07\/D2-1024x803.png\",\"datePublished\":\"2025-07-23T18:25:00+00:00\",\"dateModified\":\"2026-02-25T20:21:19+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\"},\"description\":\"D2 loads indefinitely when the cookies have the httpOnly flag set, which triggers a Missing XSRF token error on D2.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#primaryimage\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/07\/D2.png\",\"contentUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/07\/D2.png\",\"width\":1437,\"height\":1127},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Dctm – Invalid\/Missing XSRF token on D2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\",\"name\":\"Morgan Patou\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"caption\":\"Morgan Patou\"},\"description\":\"Morgan Patou has over 12 years of experience in Enterprise Content Management (ECM) systems, with a strong focus in recent years on platforms such as Alfresco, Documentum, and M-Files. He specializes in the architecture, setup, customization, and maintenance of ECM infrastructures in complex & critical environments. Morgan is well-versed in both engineering and operations aspects, including high availability design, system integration, and lifecycle management. He also has a solid foundation in open-source and proprietary technologies - ranging from Apache, OpenLDAP or Kerberos to enterprise-grade systems like WebLogic. Morgan Patou holds an Engineering Degree in Computer Science from ENSISA (\u00c9cole Nationale Sup\u00e9rieure d'Ing\u00e9nieurs Sud Alsace) in Mulhouse, France. He is Alfresco Content Services Certified Administrator (ACSCA), Alfresco Content Services Certified Engineer (ACSCE) as well as OpenText Documentum Certified Administrator. His industry experience spans the Public Sector, IT Services, Financial Services\/Banking, and the Pharmaceutical industry.\",\"sameAs\":[\"https:\/\/blog.dbi-services.com\/author\/morgan-patou\/\",\"https:\/\/x.com\/MorganPatou\"],\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/morgan-patou\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Dctm - Invalid\/Missing XSRF token on D2 - dbi Blog","description":"D2 loads indefinitely when the cookies have the httpOnly flag set, which triggers a Missing XSRF token error on D2.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/","og_locale":"en_US","og_type":"article","og_title":"Dctm - Invalid\/Missing XSRF token on D2","og_description":"D2 loads indefinitely when the cookies have the httpOnly flag set, which triggers a Missing XSRF token error on D2.","og_url":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/","og_site_name":"dbi Blog","article_published_time":"2025-07-23T18:25:00+00:00","article_modified_time":"2026-02-25T20:21:19+00:00","og_image":[{"width":1437,"height":1127,"url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/07\/D2.png","type":"image\/png"}],"author":"Morgan Patou","twitter_card":"summary_large_image","twitter_creator":"@MorganPatou","twitter_misc":{"Written by":"Morgan Patou","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/"},"author":{"name":"Morgan Patou","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8"},"headline":"Dctm – Invalid\/Missing XSRF token on D2","datePublished":"2025-07-23T18:25:00+00:00","dateModified":"2026-02-25T20:21:19+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/"},"wordCount":675,"commentCount":0,"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/07\/D2-1024x803.png","keywords":["cookies","D2","Documentum","httpOnly","secure","Tomcat"],"articleSection":["Application integration & Middleware","Enterprise content management"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/","url":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/","name":"Dctm - Invalid\/Missing XSRF token on D2 - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#primaryimage"},"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/07\/D2-1024x803.png","datePublished":"2025-07-23T18:25:00+00:00","dateModified":"2026-02-25T20:21:19+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8"},"description":"D2 loads indefinitely when the cookies have the httpOnly flag set, which triggers a Missing XSRF token error on D2.","breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#primaryimage","url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/07\/D2.png","contentUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2025\/07\/D2.png","width":1437,"height":1127},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/dctm-invalid-missing-xsrf-token-on-d2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Dctm – Invalid\/Missing XSRF token on D2"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8","name":"Morgan Patou","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","caption":"Morgan Patou"},"description":"Morgan Patou has over 12 years of experience in Enterprise Content Management (ECM) systems, with a strong focus in recent years on platforms such as Alfresco, Documentum, and M-Files. He specializes in the architecture, setup, customization, and maintenance of ECM infrastructures in complex & critical environments. Morgan is well-versed in both engineering and operations aspects, including high availability design, system integration, and lifecycle management. He also has a solid foundation in open-source and proprietary technologies - ranging from Apache, OpenLDAP or Kerberos to enterprise-grade systems like WebLogic. Morgan Patou holds an Engineering Degree in Computer Science from ENSISA (\u00c9cole Nationale Sup\u00e9rieure d'Ing\u00e9nieurs Sud Alsace) in Mulhouse, France. He is Alfresco Content Services Certified Administrator (ACSCA), Alfresco Content Services Certified Engineer (ACSCE) as well as OpenText Documentum Certified Administrator. His industry experience spans the Public Sector, IT Services, Financial Services\/Banking, and the Pharmaceutical industry.","sameAs":["https:\/\/blog.dbi-services.com\/author\/morgan-patou\/","https:\/\/x.com\/MorganPatou"],"url":"https:\/\/www.dbi-services.com\/blog\/author\/morgan-patou\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/39647","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=39647"}],"version-history":[{"count":2,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/39647\/revisions"}],"predecessor-version":[{"id":43175,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/39647\/revisions\/43175"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=39647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=39647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=39647"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=39647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}