[MAGNOLIA-8210] Review CSRF filter implementations and bypasses Created: 19/Oct/21  Updated: 22/Nov/21  Resolved: 22/Nov/21

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: 6.2.12
Fix Version/s: 6.2.14

Type: Improvement Priority: Neutral
Reporter: Mikaël Geljić Assignee: Michael Duerig
Resolution: Done Votes: 0
Labels: artt, csrf
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-11-19-16-39-14-908.png     PNG File image-2021-11-19-16-41-13-584.png    
Issue Links:
Cloners
clones MAGNOLIA-8209 CSRF Header sent with all responses Closed
Issue split
split to MAGNOLIA-8232 Intercept login redirects to reduce b... Accepted
Relates
relates to MAGNOLIA-8226 DOC: Update CSRF filter implementation Closed
documentation
to be documented by MAGNOLIA-8226 DOC: Update CSRF filter implementation Closed
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Release notes required:
Yes
Documentation update required:
Yes
Date of First Response:

 Description   

After reviewing the CSRF concept in Magnolia, we concluded couple solutions:

In MAGNOLIA-8209 (just FYI here):

  • First, reduce the amount of cookies generated for every requests. Tentatively recycle the cookie name (sub-domain only), and update its value?

In this ticket:

  • Reconsider applying the token generation to everything, unless the Form loginHandler's allowedMethods includes GET (disabled by default since MAGNOLIA-8115).
  • Split implementation of synchronizer-pattern vs. double-submit cookie pattern into two CSRF filters, with their own bypasses.

See SUPPORT-13766 for the original bug report.
As QA we should verify the solution also positively impacts the amount of cookies/headers size.



 Comments   
Comment by Michael Duerig [ 19/Nov/21 ]

Doc ticket: MAGNOLIA-8226

Comment by Michael Duerig [ 19/Nov/21 ]

akhamis , for documentation:

With this ticket we deprecated CsrfTokenSecurityFilter and replaced it with CsrfCookieTokenFilter and CsrfSessionTokenFilter. Jointly these two classes cover the same functionality that was previously covered by CsrfTokenSecurityFilter.

Splitting into two classes simplifies the implementations and configuration at the same time making it more flexible as bypasses can now be specified more specifically.

 

Configuration prior to this ticket:

 

Configuration after this ticket:

Both filters allow setting a CsrfTokenStrategy that define the strategy for how the filter deals with CSRF tokens. It exposes methods for creating new tokens, validating tokens and token renewal. Default value is HmacCsrfToken for HMAC secured tokens. Also available is the RandomCsrfToken strategy, which brings back the behaviour prior to MAGNOLIA-7899.

Generated at Mon Feb 12 04:30:38 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.