Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-8210

Review CSRF filter implementations and bypasses

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Done
    • Neutral
    • 6.2.14
    • 6.2.12
    • core
    • Yes
    • Yes

    Description

      After reviewing the CSRF concept in Magnolia, we concluded couple solutions:

      In MAGNOLIA-8209 (just FYI here):

      • First, reduce the amount of cookies generated for every requests. Tentatively recycle the cookie name (sub-domain only), and update its value?

      In this ticket:

      • Reconsider applying the token generation to everything, unless the Form loginHandler's allowedMethods includes GET (disabled by default since MAGNOLIA-8115).
      • Split implementation of synchronizer-pattern vs. double-submit cookie pattern into two CSRF filters, with their own bypasses.

      See SUPPORT-13766 for the original bug report.
      As QA we should verify the solution also positively impacts the amount of cookies/headers size.

      Checklists

        Acceptance criteria

        Attachments

          1. image-2021-11-19-16-39-14-908.png
            83 kB
            Michael Duerig
          2. image-2021-11-19-16-41-13-584.png
            71 kB
            Michael Duerig

          Issue Links

            Activity

              People

                mduerig Michael Duerig
                mgeljic Mikaël Geljić
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Task DoD