When a possible XSRF attack is observed that is when there is no valid xsrf token found in the request, Business Process Portal does not invalidate the session automatically. BPM portal forwards the user to the configured target url when it finds a possible xsrf attack.

The default implementation of this target url invalidates the current user session and gives a message to the user saying "For security reasons, your session has been terminated. Please login again or contact administrator."

The target url should be relative to the context path of the application.