After reviewing the CSRF concept in Magnolia, we concluded couple solutions:
MAGNOLIA-8209 (just FYI here):
- First, reduce the amount of cookies generated for every requests. Tentatively recycle the cookie name (sub-domain only), and update its value?
In this ticket:
- Reconsider applying the token generation to everything, unless the Form loginHandler's allowedMethods includes GET (disabled by default since MAGNOLIA-8115).
- Split implementation of synchronizer-pattern vs. double-submit cookie pattern into two CSRF filters, with their own bypasses.
See SUPPORT-13766 for the original bug report.
As QA we should verify the solution also positively impacts the amount of cookies/headers size.