Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-8210

Review CSRF filter implementations and bypasses


    • Icon: Improvement Improvement
    • Resolution: Done
    • Icon: Neutral Neutral
    • 6.2.14
    • 6.2.12
    • core
    • Yes
    • Yes

      After reviewing the CSRF concept in Magnolia, we concluded couple solutions:

      In MAGNOLIA-8209 (just FYI here):

      • First, reduce the amount of cookies generated for every requests. Tentatively recycle the cookie name (sub-domain only), and update its value?

      In this ticket:

      • Reconsider applying the token generation to everything, unless the Form loginHandler's allowedMethods includes GET (disabled by default since MAGNOLIA-8115).
      • Split implementation of synchronizer-pattern vs. double-submit cookie pattern into two CSRF filters, with their own bypasses.

      See SUPPORT-13766 for the original bug report.
      As QA we should verify the solution also positively impacts the amount of cookies/headers size.

        Acceptance criteria

              mduerig Michael Duerig
              mgeljic Mikaël Geljić
              0 Vote for this issue
              5 Start watching this issue