Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-11080

Session is not invalided when webapps are setup with incorrect CSRF token cookie name

    XMLWordPrintable

Details

    • Bug Report
    • Resolution: Won't Fix
    • L3 - Default
    • None
    • 7.12.0
    • None
    • None

    Description

      Steps:
      0. Download some distro (I used Wildfly)
      1. Change the csrf cookie name cookieName in the web.xml [1]
      2. Change the csrf cookie name csrfCookieName in config.js of Cockpit and Tasklist apps only and do not change it for Admin.
      3. Start the distro and login via Tasklist (or Cockpit)
      4. Then navigate to Admin
      5. Perform a modification request, for example, try to create a new user
      6. The creation fails (as admin doesn't have correct csrf cookie name) with 

      403 Forbidden
CSRFPreventionFilter: Token provided via HTTP Header is absent/empty.

      7. Reload the current page

      Expected:
      The session is invalidated.

      Observed:
      The session is not invalidated and the user can continue to perform GET requests.

      [1]: https://docs.camunda.org/manual/develop/webapps/shared-options/csrf-prevention/
      [2]: https://docs.camunda.org/manual/develop/webapps/cockpit/extend/configuration/#change-csrf-cookie-name

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Activity

            People

              Unassigned Unassigned
              yana.vasileva Yana Vasileva
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Salesforce