[MAGNOLIA-8209] CSRF Header sent with all responses Created: 19/Oct/21  Updated: 03/Nov/21  Resolved: 03/Nov/21

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: 6.2.12
Fix Version/s: 6.2.13

Type: Bug Priority: Major
Reporter: Mikaël Geljić Assignee: Michael Duerig
Resolution: Fixed Votes: 0
Labels: artt, csrf
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by MAGNOLIA-8210 Review CSRF filter implementations an... Closed
Relates
relates to MAGNOLIA-8150 CsrfTokenSecurityFilter could create ... Closed
dependency
relation
is related to MAGNOLIA-8150 CsrfTokenSecurityFilter could create ... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Release notes required:
Yes
Date of First Response:
Sprint: HL & LD 40

 Description   

As described in SUPPORT-13766 (quoted below).

After reviewing the CSRF concept in Magnolia, we concluded couple solutions:

In this ticket:

  • First, reduce the amount of cookies generated for every requests. Tentatively recycle the cookie name (sub-domain only), and update its value?
  • Generate cookies for applicable content types only. See MAGNOLIA-8150.

In another ticket (just FYI here):

  • Reconsider applying the token generation to everything, unless the Form loginHandler's allowedMethods includes GET (disabled by default since MAGNOLIA-8115).
  • Split implementation of synchronizer-pattern vs. double-submit cookie pattern into two CSRF filters, with their own bypasses.

Initial bug report

Steps to reproduce

  1. using csrf
  2. updating from Magnolia 6.1.7 to Magnolia 6.2.11 

.. Logs, screenshots, gifs...

Expected results

  • as in Magnolia 6.1. 
  • csrf headers should be sent in responses only when necessary (or is it necessary?) 

Actual results

  • csrf header was sent in all responses
  • this increases header count above the limit
  • due to this http2 does not work
  • example: header count = 127
Host: [stest.ruv.de|http://stest.ruv.de/]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache
Cookies:
AMWEBJCT!/wsj_mag!/!SID: A8DB42C8F0D448B3A6226AE85D7F550A
"_ga": "GA1.2.842915859.1632993820",
"_gat_UA-89839765-12": "1",
"_gcl_au": "1.1.447609460.1632993818",
"_gid": "GA1.2.907003410.1632993820",

"AMWEBJCT!/wsj_mag!/!SID": "A8DB42C8F0D448B3A6226AE85D7F550A",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-highlight-teaser-l/882x588/dam/jcr:5bdb0d85-485b-4d78-8ce6-1692d3053a38/b_pferde_opk_1064x588.jpg!csrf": "avPXhyA8g1peq48vH9zP-Iibpu8",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-image-basic-image-m/357x179/dam/jcr:648a7372-9ebd-4dbe-ba02-0cab3c2cf864/zahprobleme-pferd-tierarzt.jpg!csrf": "0vUGg4rwei54UzFuFswsVSwubc0",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-image-basic-image-m/357x179/dam/jcr:6f81f627-2194-42c9-a22e-81bb63de1725/umzugskartons-wohnung-junges-paar.jpg!csrf": "MToaSiciXVJmXVOxkNiXzY7q1AY",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-image-basic-image-m/357x179/dam/jcr:9f5bf0d2-529b-4a0d-923b-660ad6f46fdc/iStock-522453722.jpg!csrf": "I43ZYyvSnsvZfARjWY5A5x9gULU",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-service-teaser-l/734x405/dam/jcr:5eee0fff-223d-4b32-bf69-4ac7170bb301/Service_Teaser_734x405_meien_rv.jpg!csrf": "6r2m-a5guK5grQCD1vnBd7vifEk",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-service-teaser-l/734x405/dam/jcr:61f1201e-9643-4cc2-a0ed-6c08da5ae894/Service_Teaser_734x405_videoberatung.jpg!csrf": "fYYQ2hu-gT19G-VsBvKMEh2Gw-4",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-service-teaser-l/734x405/dam/jcr:d5738e1a-add5-4bef-80c3-bd08a134d0e6/Service_Teaser_734x405_corona.jpg!csrf": "qxeu56IcprbTHrqPRsP2pUvdsCM",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-service-teaser-l/734x405/dam/jcr:e8e43e17-f7ce-4866-8c45-d4648d89dcf1/Service_Teaser_734x405_autonotruf.jpg!csrf": "DQ5fwbl07mnMrExnQE0ZLJavOlM",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-service-teaser-l/734x405/dam/jcr:ec99aad0-80a5-48dc-8822-bda15464595e/Service_Teaser_734x405_kontakt.jpg!csrf": "z236Yo5PopprRELAnBMZpswhA6E",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-service-teaser-thumbnail-m/74x74/dam/jcr:5eee0fff-223d-4b32-bf69-4ac7170bb301/Service_Teaser_734x405_meien_rv.jpg!csrf": "aJiArxoJC6Hlt4-EffrdMfKPr9c",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-service-teaser-thumbnail-m/74x74/dam/jcr:61f1201e-9643-4cc2-a0ed-6c08da5ae894/Service_Teaser_734x405_videoberatung.jpg!csrf": "bzi0Gw4wnAdsgIgZaCz4GmhbBnA",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-service-teaser-thumbnail-m/74x74/dam/jcr:d5738e1a-add5-4bef-80c3-bd08a134d0e6/Service_Teaser_734x405_corona.jpg!csrf": "-WrLih29OKSsvth6dXqxOMZusDE",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-service-teaser-thumbnail-m/74x74/dam/jcr:e8e43e17-f7ce-4866-8c45-d4648d89dcf1/Service_Teaser_734x405_autonotruf.jpg!csrf": "XmFYKmpeZ8__s1hgG3iu1rxc6z4",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/rl20-service-teaser-thumbnail-m/74x74/dam/jcr:ec99aad0-80a5-48dc-8822-bda15464595e/Service_Teaser_734x405_kontakt.jpg!csrf": "8VHmVQ-mSQa1KfmNNJ54k4T-I2M",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/stage-L/1100x400/dam/jcr:45923096-abe1-4c08-8eb0-e5a97b897505/tierhalter_hp_pferd_ruv_buehne_Stage_Large.jpg!csrf": "L75auebgjoe6b4Wz_dvMN5-gnsc",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/stage-L/1100x400/dam/jcr:c855757a-3cea-4460-a8e5-fd8523b14f1a/pferd_ruv.de_Stage_Large.png!csrf": "3HzW-96jqiukHe7de8U_QKr_K7M",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/stage-L/1100x400/dam/jcr:cbdb616b-6b35-4852-b60c-b2527004ee25/tierhalter_hp_hund_ruv_buehne_Stage_Large.jpg!csrf": "SVhZRKzKJZgBcCIJjk_WPd_gu1w",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/stage-L/1100x400/dam/jcr:d411e494-6ce1-464e-8289-ada800d9d435/handwerk-buehne-dach_Stage_Large.jpg!csrf": "laLFffuQ2pRrsFNIsf04k6luA7g",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/stage-L/1100x400/dam/jcr:dcfb5b24-e212-415e-8510-6fc2e17999e7/buehne-service.jpg!csrf": "kmLVQpZt8AZ2ONQ1Y_uLOp0nlZQ",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/teaser-small-L/284x142/dam/jcr:2936044e-06d5-4d7e-9451-4db2416358ee/pferd-insektenschutz-haube.jpg!csrf": "FjF1u3PNSjipVxyqo5p0OK5bezk",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/teaser-small-L/284x142/dam/jcr:4be73823-8e74-41c6-b13f-679682e9584f/anweiden-pferd-pony.jpg!csrf": "4SQe33btJFUvpqGYv2v17iDp-SY",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/teaser-small-L/284x142/dam/jcr:648a7372-9ebd-4dbe-ba02-0cab3c2cf864/zahprobleme-pferd-tierarzt.jpg!csrf": "cfhpBtJ29eOR73h3AZhGvhW5wgc",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/teaser-small-L/284x142/dam/jcr:a57ff1cb-da0d-4d69-86da-b08c8bfa0ee6/hundwelpe-kinder.jpg!csrf": "ZVuIOXvzrHpKdQvI_djJbaTLLlI",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/teaser-small-L/284x142/dam/jcr:a60ca345-77a2-4fa2-ac76-521e48c7603c/reitbegleithund-ausritt-wald.jpg!csrf": "GPXHxxgR-sdLo9Qdgmlw2xKFkk8",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/teaser-small-L/284x142/dam/jcr:aa85602e-def1-4208-b4d1-0090103c5bc4/reiturlaub-ponyhof.jpg!csrf": "cdhy-Ugd6ceManALV_KX1fOtJW8",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/teaser-small-L/284x142/dam/jcr:dbc3d822-a106-472a-bf0e-63f1eb6b74d0/pfoetchenknabbern-hund-tierarzt.jpg!csrf": "PDEMGcYyP6pAPowbBneSZ9nNQBM",

"AMWEBJCT!/wsj_mag!/.imaging/focalarea/teaser-small-L/284x142/dam/jcr:f9a7d85f-b009-443b-9080-67b92183ce34/hund-silvester-aengstlich.jpg!csrf": "KS-445RGdoQiAQwh_qB4a9VW5Hg",

"AMWEBJCT!/wsj_mag!/.imaging/responsive/dam/teaser-small-L/284x142/dam/jcr:26ca44b7-2edb-40ba-982e-3c5bfab6588e/57-11-2014-470795651-jpg!csrf": "D7cGRKJwtw_Wv0YbzfFJcJ72HiI",

"AMWEBJCT!/wsj_mag!/.imaging/responsive/dam/teaser-small-L/284x142/dam/jcr:543f3370-ae78-4515-8552-5a605e0e5a80/05-04-2015-178415745.jpg!csrf": "Ujminu6wkG9sQIdcx5HNFdAGKzo",

"AMWEBJCT!/wsj_mag!/.imaging/responsive/dam/teaser-small-L/284x142/dam/jcr:71283cfa-d666-4bd0-9384-22a2df4a6502/iStock-615106928-jpg!csrf": "NEmt-Bc0EySF9H4BjxC8CCNahyI",

"AMWEBJCT!/wsj_mag!/.imaging/responsive/dam/teaser-small-L/284x142/dam/jcr:9183425b-efdf-4a3c-a963-4f6e5bf9c5e7/03-11-2014-178491508-jpg!csrf": "lW_WakQ_rj9kjKkd_kY3D0ZqTms",

"AMWEBJCT!/wsj_mag!/.imaging/responsive/dam/teaser-small-L/284x142/dam/jcr:c97f682a-9ecd-4e17-a2de-d0f9d4671fed/77-11-2015-474167880-jpg!csrf": "452BAUfycYE11ciRMSoGOYHqz6w",

"AMWEBJCT!/wsj_mag!/.imaging/responsive/dam/teaser-small-L/284x142/dam/jcr:f653e36e-3de7-4300-a1a6-7e6c8259f345/17-12-2015-480757499-TeaserSmall-Large-jpg!csrf": "gW1Bt45kdOgSVSkdaCZMROHP63w",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/css/style.css!csrf": "tYIwzyNPCvxLCvk-zOC70Gj-8GE",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/fonts/FFMarselisforRuV-Bd.ttf!csrf": "VoiXpeEXBOJfvqYvj1H8RJtS_nE",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/fonts/FFMarselisforRuV.ttf!csrf": "76TwNjHD_SwGSAMOHrFKhZpqN4w",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/fonts/FFMarselisforRuVSlab-Bold.ttf!csrf": "nf-YXC8uSMjgHVE1EUWIpCj_42I",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/fonts/FFMarselisforRuVSlab.ttf!csrf": "AmD7OS_66VQ3DheKVOQk0n_JAkc",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/fonts/RuVIcon.ttf!csrf": "vWWY--SISuBsKiCpyORQiuPEe0U",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/icons/favicon.png!csrf": "sx5XWJP9VCQmHYjGZpWT8Tdn_oM",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/icons/favicon.svg!csrf": "N71z9bU8JuFnWsz1e6y_aucBdDg",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/logo_ruv.svg!csrf": "nEqQts3MmWgR7QgMgufD1N8M1Eo",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/logo.svg!csrf": "6AHouNuCnwfHrkSxmFcZIN8XuiU",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/mastercard.png!csrf": "aJ0IFtS8aBDYUaEDXDrJta_AJxY",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/paypal.png!csrf": "h6DrZZqPW3-20NoVQXz6C_OaAc0",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/sepa.png!csrf": "RKJN0NJ96HZDVdvffwvgKvLDgy4",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/social-toolbar/icon-blog.svg!csrf": "BVWl3xeQlza3A5usomLNi8DCu4w",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/social-toolbar/icon-facebook.svg!csrf": "q-zMEOU60pgHslZlEFJD5yhqgqE",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/social-toolbar/icon-newsroom.svg!csrf": "5nhbq1r6d7thbyf8XNZZwbgDj7k",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/social-toolbar/icon-twitter.svg!csrf": "2GxHHfOR2GqpYehCC-Yzit9FSNs",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/social-toolbar/icon-xing.svg!csrf": "cAEtRxB7T8346ZQ6HTbU7PuiXc0",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/images/visa.png!csrf": "F6s-vtEkKMq_bnz78o9ounqng9c",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/js/script.js!csrf": "ETseIeO5oktovNOGqSmQArG1AlA",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde-rl20/webresources/js/tracking.js!csrf": "xQp9aAbePDX-hDPVAbqssqZS6ao",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/css/bootstrap.css!csrf": "RhgMD73u6tQh9mjJvABgWNwzxCQ",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/css/box-model.css!csrf": "KLRi4LorMaecstaO_owBeDWdmCw",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/css/components.css!csrf": "6dKiQSX8P6bgVsJ2CaT9y4t0z14",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/css/hellofonts.css!csrf": "cOI_boE9EByTKTS3MZJlvdWEPuM",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/css/main.css!csrf": "8pqj939HI6AS-eIVaRYkCXQ5hgQ",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/css/template.css!csrf": "-uKlox1J7h2K6WcTv4IcVg7sEz4",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/fonts/2D53A7_0_0.woff2!csrf": "CG2OLsFUOTTcbTk8HygWma1xDgs",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/fonts/2D53A7_1_0.woff2!csrf": "aFLKx5BS6vgg2UR2amPkhPe5jDw",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/fonts/2D53A7_5_0.woff2!csrf": "1-mSQfXjUVmyVCKmZFjlXjzAeCo",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/fonts/2D53A7_7_0.woff2!csrf": "NEBkJ8Ty11MYlRSotovz5VBlVBg",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/fonts/iconfont.woff!csrf": "OQwc4ur6wJIsmpL9HaYZe2zewbo",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/images/genossen-logo.svg!csrf": "VBmmodi9GMH8ApWxV8CFn2dJ6MQ",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/images/icons/favicon.png!csrf": "L9fSijLFAvAPGFsnehSJXbrJYcI",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/images/icons/favicon.svg!csrf": "Ybj6xiia-ObgokqmMWmG6a7JGvQ",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/images/icons/social-toolbar/icon-blog.svg!csrf": "A7Q7s41s0_DRxWDpP52sHjw2Shg",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/images/icons/social-toolbar/icon-facebook.svg!csrf": "v9Pc50CXrtFKncJa47rLCuPs_ag",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/images/icons/social-toolbar/icon-newsroom.svg!csrf": "7zvprFGHk4F6WcixFoS-2Oyyr2s",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/images/icons/social-toolbar/icon-twitter.svg!csrf": "vFDFTduKz30kk9iaBADfS0ssIyM",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/images/icons/social-toolbar/icon-xing.svg!csrf": "s5XsBKvIVL_HvjCC-WDSAi1Ui4c",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/js/main.js!csrf": "MAMcMbjFElusClDSiPHXb3PNPx4",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/js/meineruv.config.js!csrf": "UnAv13IXrFgdjwLyzV5x5YtGrM8",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/js/navheader.js!csrf": "uPrre62Ft9ybbM6kTprIQc4fKAE",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/js/ruv.config.js!csrf": "ncRFGGcur6BzWMIMES5xraVWzVk",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/js/ruv.search.js!csrf": "glXvAJkyEppi2NV7U-Us9WYvPRc",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/js/scripts.min.js!csrf": "_Fem1Pd-QR-vgSOiV6peOlDOzrk",

"AMWEBJCT!/wsj_mag!/.resources/ruv-magnolia-ruvde/webresources/js/vendor.min.js!csrf": "nCF7ceIDIc1pq-CoHTG0_hqWcf8",

"AMWEBJCT!/wsj_mag!/dam/jcr:36801e65-f7fd-4159-a184-05d56e61a660/chip-vtv-oas.jpg!csrf": "rshU2J54afFXR9_xbVg2In9grHA",

"AMWEBJCT!/wsj_mag!/dam/jcr:69a00370-b74e-46a1-8a89-bdcd43c22e5a/ruv_focusmoney_kfz_fairster_leistungsregulierer_2021.jpg!csrf": "4y0apKN9IDXXbVafiFnXpT4eajE",

"AMWEBJCT!/wsj_mag!/dam/jcr:9bcda4f7-6399-4e9c-baa9-6fc2f814a707/wiwo-kundenvertrauen!csrf": "5qxWcwdvztyueAiCqZWZywPmxTE",

"AMWEBJCT!/wsj_mag!/dam/jcr:9bcda4f7-6399-4e9c-baa9-6fc2f814a707/wiwo-kundenvertrauen.png!csrf": "KcCuP_yHMcDQZip3u_GonUCTsB8",

"AMWEBJCT!/wsj_mag!/dam/jcr:9e7d348c-9d75-4cd8-84a6-58ef4f23c1d0/KwK_Hausrat_retuschiert.jpg!csrf": "UgN3P3y-afC0usLQXEUbLEhrJdQ",

"AMWEBJCT!/wsj_mag!/dam/jcr:a4540cfb-4bb1-4b1d-a69e-2ae2a9edd4cf/FocusMoneyFairsterSchadenreguliererHausrat.jpg!csrf": "rlRaadiytMEL-kxjv1FCqmDEpuU",

"AMWEBJCT!/wsj_mag!/dam/jcr:a84c96e5-8fd1-4048-b174-c74232e5e352/chip-vtv-oas!csrf": "XDMKPqB20hGxOlCSPHs8x3zKHI0",

"AMWEBJCT!/wsj_mag!/dam/jcr:d1491fe3-c293-4eec-8037-c9b65ee3d2c3/icon_reitunterricht.jpg!csrf": "Qqaj30u6swj-RO-n9CKrAq-uMN8",

"AMWEBJCT!/wsj_mag!/dam/jcr:d7f1a6ef-857b-41b6-b186-eabea79af7aa/tuv-rheinland-bq.png!csrf": "Xc_VVW6EE1p1L8TezcoOW4LL2gI",

"AMWEBJCT!/wsj_mag!/dam/jcr:e6006db4-ba5b-4e97-a05a-a8bb2fccf387/handwerk_branche_visual_blue.png!csrf": "sieH0qhDhQcABzHVmD3HMgTC9aI",

"AMWEBJCT!/wsj_mag!/dam/jcr:f3c4b709-0b97-43c4-b53c-1971a86274a7/FoMo_FairsterLeistungsregulierer_Private_KKV.jpg!csrf": "Z_erb_a1fRME1j-9CL5JDWXOg2g",

"AMWEBJCT!/wsj_mag!/Fehler404!csrf": "UnKmRBdUyUSR6jYDRyVtKhMDkfI",

"AMWEBJCT!/wsj_mag!/firmenkunden/handwerk!csrf": "SdyU4_iMs9bt7EnpKOLWAjnnR9U",

"AMWEBJCT!/wsj_mag!/home/!csrf": "0EsTa_aqeUYovapuvHJPlRatclA",

"AMWEBJCT!/wsj_mag!/privatkunden/freizeit-tier/pferdeversicherung!csrf": "9qNvLY5BK_Cms4o9ueZR-yPHThI",

"AMWEBJCT!/wsj_mag!/privatkunden/freizeit-tier/pferdeversicherung/abschluss!csrf": "P0p6R8L4b-zVXXR9XF1gIjuzHcs",

"AMWEBJCT!/wsj_mag!/privatkunden/haftpflichtversicherung/hundehalterhaftpflicht!csrf": "3wZGtibqH5PyajsvzL17CSyPmeI",

"AMWEBJCT!/wsj_mag!/privatkunden/haftpflichtversicherung/pferdehalterhaftpflicht!csrf": "AGhOf6PMPvJTQyVjX6q70bYj-2Y",

"AMWEBJCT!/wsj_mag!/service/kontakt!csrf": "4YN2wmY8Ww-yZJ_tboUUUGZpI3c",

"PD_STATEFUL_2cf9f99c-0022-0017-8080-15dde9ae831d": "/wsj_mag",

"PD_STATEFUL_b6623746-0022-0024-8080-079eb3cac8e0": "/wsj_mag",

"PD-H-SESSION-ID-01-1": "1_4_0_DlvzvQf2vBEH7b4DctFF95mNSAfsv8ze9PyWDeya6NSV4SsP",

"PD-H-SESSION-ID-01-2": "1_4_0_pSthhlZ7rIr9bn-ZW4FBDLjDLd0f7Nl6ra9oDvZtexSC6PIK",

"PD-H-SESSION-ID-02-1": "1_4_0_OdmmusLj4cJvDq8d-FRazr6htV0W-jPXieAE7Zg6Iz-mBp53",

"PD-H-SESSION-ID-02-2": "1_4_0_nNO0TA1kOVyR9jYycgzVPoXClGljeH5S6vKt96UEAmI4ixXs",

"QSI_HistorySession": "[https://stest.ruv.de/home/~1632993819769|https://stest.ruv.de/privatkunden/freizeit-tier/pferdeversicherung~1632994883844|https://stest.ruv.de/service/kontakt~1632994996496|https://stest.ruv.de/home/~1632995006373|https://stest.ruv.de/firmenkunden/handwerk~1632995034403|https://stest.ruv.de/privatkunden/haftpflichtversicherung/pferdehalterhaftpflicht~1632995044831|https://stest.ruv.de/privatkunden/haftpflichtversicherung/hundehalterhaftpflicht~1632995173901|https://stest.ruv.de/home/~1632993819769%7Chttps:/stest.ruv.de/privatkunden/freizeit-tier/pferdeversicherung~1632994883844%7Chttps:/stest.ruv.de/service/kontakt~1632994996496%7Chttps:/stest.ruv.de/home/~1632995006373%7Chttps:/stest.ruv.de/firmenkunden/handwerk~1632995034403%7Chttps:/stest.ruv.de/privatkunden/haftpflichtversicherung/pferdehalterhaftpflicht~1632995044831%7Chttps:/stest.ruv.de/privatkunden/haftpflichtversicherung/hundehalterhaftpflicht~1632995173901]",

"tws_camp": "\{\"medium\":\"(none)\",\"source\":\"(direct)\"}",

"tws_session": "1632995173206_0.26915922276546245"

Workaround

  • we configurated bypasses in  /server/filters/csrfTokenSecurity/bypasses for some pathes e.g. /dam, /.resources und /.imaging


 Comments   
Comment by Michael Duerig [ 26/Oct/21 ]

jpetras, I just created a PR for MAGNOLIA-7899, which already contains some improvements leading to fewer cookies:

Comment by Michael Duerig [ 01/Nov/21 ]

In the context of MAGNOLIA-7899 we removed the servlet path from the cookie. This cuts down the number of cookies generated already.

Comment by Mikaël Geljić [ 03/Nov/21 ]

For RNs, as mentioned above:

Fixed

This change was part of PR #987 for MAGNOLIA-7899, but the cookie path fix was specifically committed against this ticket.

Re: Generate cookies for applicable content types only, we spared this for reevaluation in light of the fix here. This would be better addressed in MAGNOLIA-8210 (applicability of CSRF vs. login-CSRF and bypasses), or by reopening MAGNOLIA-8150.

Closing.

Generated at Mon Feb 12 04:30:37 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.