We have a few custom modules that are part of some building blocks we've developed, and we're getting a "Session Error" when trying to edit the module settings, but only within a course context. Most users are able to click through these annoyances, but some Mac users are running into problems with the page reloading as blank after clicking "OK." If I place the module on the user's home page, they can edit it without getting the error.
My primary concern is, what is causing these errors? The only error showing up in the logs is in the Catalina log:
ERROR 2016-10-10 13:09:09,370 connector-41: userId=_5_1, sessionId=DC1EC6AA50169A44F0F912872F8F28B0 org.directwebremoting.dwrp.Batch - A request has been denied as a potential CSRF attack.
In monitoring the Apache logs, I've noticed that, when clicking on the edit control, the request to /webapps/portal/execute/tabs/tabAction actually has two JSESSIONID values in it...one of the values is consistent with all of the previous requests from a given connection, but the second value (first, I guess, as it appears first in the session_id parameters) is a unique value. This is consistent, though, whether in a course or not, so I'm not sure that this is necessarily responsible. And unfortunately, I haven't found any examples to test, as I haven't found any stock modules that appear in the course and have an edit control.
Does anyone have any experience with this, or might be able to provide any suggestions as to where to start? The info I've been able to find so far links this error to DWR and an issue with a Tomcat configuration, but I'm not sure it's anything I could change. Thanks in advance for any insight!