Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-8154

Don't log CSRF attack warnings for expired sessions

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Neutral Neutral
    • 6.2.12
    • 6.2.11
    • core
    • 2

      Magnolia logs CSRF attack warnings for some Vaadin requests once a session expires:

      2021-08-17 09:18:45,517 WARN  info.magnolia.cms.security.CsrfTokenSecurityFilter: Possible CSRF Attack. CSRF token not set while user 'anonymous' attempted to access url '/.magnolia/admincentral/HEARTBEAT/'.
2021-08-17 09:18:58,069 WARN  info.magnolia.cms.security.CsrfTokenSecurityFilter: Possible CSRF Attack. CSRF token not set while user 'anonymous' attempted to access url '/.magnolia/admincentral/UIDL/'.

       

      Since Vaadin comes with its own CSRF protection mechanisms we can bypass our CSRF token check for these URLs.

        Acceptance criteria

              mduerig Michael Duerig
              mduerig Michael Duerig
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Task DoD