Details
-
Bug Report
-
Resolution: Won't Fix
-
L3 - Default
-
None
-
7.12.0
-
None
-
None
Description
Steps:
0. Download some distro (I used Wildfly)
1. Change the csrf cookie name cookieName in the web.xml [1]
2. Change the csrf cookie name csrfCookieName in config.js of Cockpit and Tasklist apps only and do not change it for Admin.
3. Start the distro and login via Tasklist (or Cockpit)
4. Then navigate to Admin
5. Perform a modification request, for example, try to create a new user
6. The creation fails (as admin doesn't have correct csrf cookie name) with
403 Forbidden CSRFPreventionFilter: Token provided via HTTP Header is absent/empty.
7. Reload the current page
Expected:
The session is invalidated.
Observed:
The session is not invalidated and the user can continue to perform GET requests.
[1]: https://docs.camunda.org/manual/develop/webapps/shared-options/csrf-prevention/
[2]: https://docs.camunda.org/manual/develop/webapps/cockpit/extend/configuration/#change-csrf-cookie-name