Loading...

XML

Word

Printable

Details

Type: Task
Resolution: Won't Do
Priority: Neutral
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- maintenance

Template:
Acceptance criteria:

Empty

show more show less
Task DoR:

Empty

show more show less
Epic Link:
Security

Description

The side effect of info.magnolia.personalization.geoip.CountryDetectorFilter currently is that it triggers the session creation for even anonymous users. This is done supposedly to not invoke costly GeoIp calls upon every request, but is prone to various problems related to the anonymous user sessions:

e.g. as had suggested - it could be prone to denial of service attacks
it masquerades our CSRF-prevention mechanism (which kicks in only when the session is not created)

Checklists

Acceptance criteria

Attachments

Issue Links

is superseded by

MGNLPN-512 Reduce the scope of CountryDetectorFilter from session to request

Open

relates to

MAGNOLIA-7896 Generation of CSRF token is too expensive

Closed

mentioned in: Page Loading...; Page Loading...

Activity

People

Assignee:: Unassigned

Reporter:: Aleksandr Pchelintcev

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 15/Oct/20 9:35 AM

Updated:: 02/Nov/21 4:03 PM

Resolved:: 11/Mar/21 1:06 PM

Date of First Response:: 15/Oct/20 9:47 AM

Checklists

Task DoR