Our current CSRF protection mechanism encodes the server id into the CSRF token and requires it to match on subsequent requests. This causes CSRF failures when using multiple public instances without sticky sessions. See also https://groups.google.com/a/magnolia-cms.com/g/user-list/c/ubLUV6Z8ZlA/m/yt0x1MNEBgAJ?utm_medium=email&utm_source=footer
We should consider enabling the usage of multiple public instances without the need for sticky sessions. Options could be:
- Remove the server id from the CSRF token
- Add a configuration option to ignore the server id
- Synchronize the server id across all public instances
- Replace the server id with a configurable "CSRF server id".
- Fall back to the server id if nothing is configured.
- Factor the "server id" into a configurable ServerIdProvider class for maximum flexibility.