Loading...

XML

Word

Printable

Type: Bug Report
Resolution: Unresolved
Priority: L3 - Default
Fix Version/s: 7.12.0, spring-boot 3.4.0, 7.11.4, 7.10.10, 7.9.16, 7.12.0-alpha4, spring-boot 3.3.5, spring-boot 3.2.7, spring-boot 3.1.7, spring-boot 3.0.7
Affects Version/s: 7.9.5, 7.12.0, 7.10.9, 7.11.3
Component/s: webapp
Labels:
None

Steps to reproduce

Use Firefox
Add a link to the Webapps on a webpage located at a cross-origin (e. g. by using the developer console to manipulate the DOM of this webpage)
Click the link to the Webapps
Login to the Webapps
Perform an action that results in a POST request (e. g. by clicking on the running instances count on the dashboard)

Observed behavior

The session is invalidated since the CSRF token request header is absent
It is not possible to perform modifying requests until Firefox is restarted

Expected behavior
The session is not invalidated and the CSRF token request header is present.

Solution
Set the default value for the SameSite property from strict to lax

Hints

In case of the lax option the cookie is sent on GET from the cross-origin
The problem reoccurs if a modifying request is sent from a cross-origin
Only a restart of the browser makes the Webapps usable again

This is the controller panel for Smart Panels app

is related to

CAM-11758 Camunda BPM Run: default CSRF prevetion config does not work for Firefox

Closed

Assignee:: Akif

Reporter:: Tassilo Weidner

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 04/Sep/19 1:05 PM

Updated:: 09/Apr/20 10:17 AM