Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-8697

CSRF for multiple public instances without sticky sessions


    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • None
    • core

      Our current CSRF protection mechanism encodes the server id into the CSRF token and requires it to match on subsequent requests. This causes CSRF failures when using multiple public instances without sticky sessions. See also https://groups.google.com/a/magnolia-cms.com/g/user-list/c/ubLUV6Z8ZlA/m/yt0x1MNEBgAJ?utm_medium=email&utm_source=footer

      Implementation note

      We should consider enabling the usage of multiple public instances without the need for sticky sessions. Options could be:

      • Remove the server id from the CSRF token
      • Add a configuration option to ignore the server id
      • Synchronize the server id across all public instances
      • Replace the server id with a configurable "CSRF server id".
        • Fall back to the server id if nothing is configured.
      • Factor the "server id" into a configurable ServerIdProvider class for maximum flexibility.


        Acceptance criteria

              Unassigned Unassigned
              mduerig Michael Duerig
              all@magnolia-cms.com, Jean-Christophe Viau
              1 Vote for this issue
              2 Start watching this issue

                Work Started:

                  Task DoD