[MAGNOLIA-9080] Duplicate CSRF cookies after server side forward Created: 05/Sep/23  Updated: 12/Jan/24

Status: Selected
Project: Magnolia
Component/s: core
Affects Version/s: 6.3.0, 6.2.38
Fix Version/s: 6.3.0

Type: Improvement Priority: Neutral
Reporter: Michael Duerig Assignee: Michael Duerig
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:
Team: Foundation
Work Started:

 Description   

After a server side forward the CsrfCookieTokenFilter runs a second time and causes a second CSRF cookie to be set.

Reproducer

 curl  -vv 'http://localhost:8080/magnoliaPublic/travel/tours/magnolia-travels/Hut-to-Hut-in-the-Swiss-Alps.html' 2>&1 | grep Set-Cookie 

Implementation note

  • CsrfTokenFilterBase extends OncePerRequestAbstractMgnlFilter  would ensure the filter is not executed after a server side redirect.
  • Trying to come up with a UT for this I concluded this would need mocking of too many parts to make the whole machinery work. We should look into covering this with an IT in CE instead.


 Comments   
Comment by Marco Blasco [ 27/Dec/23 ]

Hello 

Any Updates regarding this?

Thanks and Cheers
Marco

Generated at Mon Feb 12 04:38:25 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.