Loading...

XML

Word

Printable

Details

Type: Bug Report
Resolution: Fixed
Priority: L3 - Default
Fix Version/s: 7.10.0, 7.7.10, 7.9.6, 7.8.12, 7.10.0-alpha6
Affects Version/s: 7.10.0-alpha3, 7.10.0-alpha4
Component/s: webapp
Labels:
- SUPPORT

Description

When concurrent requests (related to the same http session) try to generate a CSRF token, then for each request a CSRF token is generated, whereby the last one wins and is stored in the http session.

The creation of CSRF tokens should be synchronized [1], like

if (session.getAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME) == null) {

  synchronized(<session_mutex>) {
    if (session.getAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME) == null) {
      // TODO...
    }
  }
}

To synchronize a "session mutex" could be used.

[1]: https://github.com/camunda/camunda-bpm-webapp/blob/14f8f94f7381f62566bca3a92e9aa87aa4f520b7/src/main/java/org/camunda/bpm/webapp/impl/security/filter/CsrfPreventionFilter.java#L203-L217

mgm-controller-panel

This is the controller panel for Smart Panels app

Attachments

Activity

People

Assignee:: Michael Schoettes

Reporter:: Roman Smirnov

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 30/Aug/18 4:16 PM

Updated:: 19/Nov/18 11:54 AM

Resolved:: 23/Oct/18 12:02 PM

Concurrent creation of CSRF token is not synchronized