Type: Bug Report
Priority: L3 - Default
Affects Version/s: None
Fix Version/s: None
When an invalid CSRF token is submitted, the CSRF Filter invalidates the current session and an error should be sent back. The actual exception is swallowed by the Authentication Filter though.
Steps to reproduce:
- start a Camunda distribution using Tomcat
- do a POST request without providing any CSRF token (or with an invalid CSRF token), like
A response code 500 is returned along with a stacktrace
- The actual error (i.e. "Token provided via HTTP Header is absent/empty." or "Invalid HTTP Header Token.") is returned.
- The status code is 403
- The function call req.getSession() throws an IllegalStateException because it would try to create a new session as the actual session already has been invalided. However, creating a new session fails because the response is already committed.