Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-8154

Don't log CSRF attack warnings for expired sessions

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Neutral
    • 6.2.12
    • 6.2.11
    • core
    • 2

    Description

      Magnolia logs CSRF attack warnings for some Vaadin requests once a session expires:

      2021-08-17 09:18:45,517 WARN  info.magnolia.cms.security.CsrfTokenSecurityFilter: Possible CSRF Attack. CSRF token not set while user 'anonymous' attempted to access url '/.magnolia/admincentral/HEARTBEAT/'.
      2021-08-17 09:18:58,069 WARN  info.magnolia.cms.security.CsrfTokenSecurityFilter: Possible CSRF Attack. CSRF token not set while user 'anonymous' attempted to access url '/.magnolia/admincentral/UIDL/'.
      

       

      Since Vaadin comes with its own CSRF protection mechanisms we can bypass our CSRF token check for these URLs.

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              mduerig Michael Duerig
              mduerig Michael Duerig
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Task DoD