[MAGNOLIA-8697] CSRF for multiple public instances without sticky sessions Created: 12/Jan/23 Updated: 22/Jun/23 |
|
| Status: | Selected |
| Project: | Magnolia |
| Component/s: | core |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Minor |
| Reporter: | Michael Duerig | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 1 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Template: |
|
||||
| Acceptance criteria: |
Empty
|
||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||
| Date of First Response: | |||||
| Visible to: |
all@magnolia-cms.com, Jean-Christophe Viau
|
||||
| Team: | |||||
| Work Started: | |||||
| Description |
|
Our current CSRF protection mechanism encodes the server id into the CSRF token and requires it to match on subsequent requests. This causes CSRF failures when using multiple public instances without sticky sessions. See also https://groups.google.com/a/magnolia-cms.com/g/user-list/c/ubLUV6Z8ZlA/m/yt0x1MNEBgAJ?utm_medium=email&utm_source=footer Implementation noteWe should consider enabling the usage of multiple public instances without the need for sticky sessions. Options could be:
|