Details
-
Task
-
Resolution: Fixed
-
L3 - Default
-
None
-
None
-
None
Description
// given
- One tab with a valid Optimize user session
- One tab with a link that contains a forged request against Optimize
// when
I execute a forged request against optimize
// then
my valid user session in Optimize expires
// hint
the forged request will be blocked, so no CSRF attack is possible
the response header of the forged request contains the following header:
Set-Cookie: X-Optimize-Authorization=;Version=1;Comment="delete cookie";Path=/;Max-Age=0;HttpOnly
Content-Length: 0
the forged request is hidden in the following html doc
<html><body>
<img src="http://127.0.0.1:8090/api/collection?orderBy=created" width="0" height="0">
</body></html>