Details
L3 - Default Description
Reproduce:
- Login to Cockpit
- Invalidate the CSRF token (by going to the dev tools, and change the value of the XSRF-TOKEN cookie)
- Perform any operation that uses a POST request, e.g. goto any process definition page
- Observe the denied by server error message and refresh the page
Expected:
- After page refresh, the csrf token is refreshed
Observed:
- Since the token is stored as cookie, the issue persists even after the page refresh
Workaround:
- Let the session expire and login again. On login, a new CSRF token is granted (it is not possible to logout without the correct CSRF token, so actually waiting for a session timeout or clearing the session cookie manually is the only way)