Navigation in Jenkins fails with 'No valid crumb was included in request' errors

Issue

Navigation within Jenkins often fails with: No valid crumb was included in request

Environment

Explanation

Jenkins comes with a CSRF protection feature that is enabled by default. The DefaultCrumbIssuer validates crumbs using the authenticated user’s identity and their web session.

Prior to Jenkins 2.543, the DefaultCrumbIssuer also validated the client IP address of incoming requests. If you are running Jenkins 2.543 or later (starting with CloudBees CI on modern cloud platforms 2.555.1.36485), client IP changes no longer cause crumb validation failures.

The jenkins.model.Jenkins.crumbIssuerProxyCompatibility system property and the excludeClientIPFromCrumb configuration attribute, which were used to disable the IP check, have been removed from Jenkins core. Setting them has no effect.

Crumb validation errors can still occur if:

The web session has expired or been invalidated
The crumb was issued in a different session than the one making the request
CSRF protection is misconfigured

Resolution

Ensure that:

Your HTTP client preserves cookies (session continuity) across requests
If using API calls with username/password authentication, you obtain the crumb and use it within the same session (see CSRF explained)

Workaround

Use API token for authentication since CSRF crumb is no longer required when authenticating using API token. It is no longer necessary to provide a CSRF crumb when sending an HTTP request with Basic authentication that provides the authenticating user’s API token in place of a password. As described on Jenkins documentation.

References

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.