Errors > CSRF Check Failed

Error messages can be annoying; especially if you don't understand what they mean! "CSRF Check Failed" is an error you may get when submitting forms.

What does "CSRF" mean?

CSRF stands for "Cross-Site Request Forgery". It occurs when a website tricks your browser into sending a request to another server, like ours, without your knowledge. Since this request may include your session cookies, our server might believe you initiated the action, even though it was initiated by a third-party website.

This can allow an attacker to perform actions on your behalf without your consent, simply by having you visit a malicious website. For obvious reasons, this is bad!

What does "CSRF Check Failed" mean?

When you request a form, we'll generate an "Anti-CSRF Token", which will be linked to your session ID. This token will be embedded into the form and will be unique to each request.

When the form is submitted, we'll check if the Anti-CSRF Token matches the one linked to your session. If it doesn't, the error "CSRF Check Failed" will be returned and the server will ignore the request.

This fixes the security vulnerability mentioned above; a website won't have access to your unique session ID. Therefore, no other website will have access to the unique Anti-CSRF Token.

Troubleshooting

If you submitted a legitimate form and received this error, resubmitting the form will usually fix the error. If it doesn't, you may run a CSRF test which may find the problem. If that doesn't work, here's some tips you can try:

  1. Close any other EBA Network tabs: Your Anti-CSRF Token may be regenerated or cleared every time you make a new request to our services. Closing those tabs and refreshing the form should ensure this token is not regenerated or cleared.
  2. Don't wait to submit: If you submit the form long after requesting the form, your session ID might expire, along with your Anti-CSRF Token. Be sure to complete the form within a timely manner.
  3. Ensure cookies are enabled: Your session ID is stored using cookies. If that cookie isn't being saved properly, each request will use a different session ID AND a different Anti-CSRF Token.