[MAGNOLIA-8697] CSRF for multiple public instances without sticky sessions Created: 12/Jan/23  Updated: 22/Jun/23

Status: Selected
Project: Magnolia
Component/s: core
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Duerig Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Problem/Incident
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:
Visible to:
all@magnolia-cms.com, Jean-Christophe Viau
Team: Foundation
Work Started:

 Description   

Our current CSRF protection mechanism encodes the server id into the CSRF token and requires it to match on subsequent requests. This causes CSRF failures when using multiple public instances without sticky sessions. See also https://groups.google.com/a/magnolia-cms.com/g/user-list/c/ubLUV6Z8ZlA/m/yt0x1MNEBgAJ?utm_medium=email&utm_source=footer

Implementation note

We should consider enabling the usage of multiple public instances without the need for sticky sessions. Options could be:

  • Remove the server id from the CSRF token
  • Add a configuration option to ignore the server id
  • Synchronize the server id across all public instances
  • Replace the server id with a configurable "CSRF server id".
    • Fall back to the server id if nothing is configured.
  • Factor the "server id" into a configurable ServerIdProvider class for maximum flexibility.

 


Generated at Mon Feb 12 04:34:59 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.