[MAGNOLIA-8154] Don't log CSRF attack warnings for expired sessions Created: 17/Aug/21  Updated: 02/Nov/21  Resolved: 17/Aug/21

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: 6.2.11
Fix Version/s: 6.2.12

Type: Improvement Priority: Neutral
Reporter: Michael Duerig Assignee: Michael Duerig
Resolution: Fixed Votes: 0
Labels: artt, csrf, maintenance
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Story Points: 2

 Description   

Magnolia logs CSRF attack warnings for some Vaadin requests once a session expires:

2021-08-17 09:18:45,517 WARN  info.magnolia.cms.security.CsrfTokenSecurityFilter: Possible CSRF Attack. CSRF token not set while user 'anonymous' attempted to access url '/.magnolia/admincentral/HEARTBEAT/'.
2021-08-17 09:18:58,069 WARN  info.magnolia.cms.security.CsrfTokenSecurityFilter: Possible CSRF Attack. CSRF token not set while user 'anonymous' attempted to access url '/.magnolia/admincentral/UIDL/'.

 

Since Vaadin comes with its own CSRF protection mechanisms we can bypass our CSRF token check for these URLs.


Generated at Mon Feb 12 04:30:08 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.