Loading...

XML

Word

Printable

Type: Improvement
Resolution: Done
Priority: Neutral
Fix Version/s: 6.2.14
Affects Version/s: 6.2.12
Component/s: core
Labels:
- artt
- csrf

Template:
Acceptance criteria:

Empty

show more show less
Task DoD:

show more show less
Release notes required:

Yes
Documentation update required:

Yes

After reviewing the CSRF concept in Magnolia, we concluded couple solutions:

In ~~MAGNOLIA-8209~~ (just FYI here):

First, reduce the amount of cookies generated for every requests. Tentatively recycle the cookie name (sub-domain only), and update its value?

In this ticket:

Reconsider applying the token generation to everything, unless the Form loginHandler's allowedMethods includes GET (disabled by default since MAGNOLIA-8115).
Split implementation of synchronizer-pattern vs. double-submit cookie pattern into two CSRF filters, with their own bypasses.

See SUPPORT-13766 for the original bug report.
As QA we should verify the solution also positively impacts the amount of cookies/headers size.

Acceptance criteria

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

image-2021-11-19-16-41-13-584.png
71 kB
19/Nov/21 4:41 PM
image-2021-11-19-16-39-14-908.png
83 kB
19/Nov/21 4:39 PM

clones

MAGNOLIA-8209 CSRF Header sent with all responses

Closed

relates to

MAGNOLIA-8226 DOC: Update CSRF filter implementation

Closed

split to

MAGNOLIA-8232 Intercept login redirects to reduce bypasses for the login-CSRF filter

Accepted

to be documented by

MAGNOLIA-8226 DOC: Update CSRF filter implementation

Closed

mentioned in: Page Loading...

Assignee:: Michael Duerig

Reporter:: Mikaël Geljić

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 19/Oct/21 10:09 PM

Updated:: 22/Nov/21 9:05 PM

Resolved:: 22/Nov/21 9:05 PM

Date of First Response:: 19/Nov/21 3:11 PM

Task DoD