User session expires after CSRF attack

XMLWordPrintable

    • Type: Task
    • Resolution: Fixed
    • Priority: L3 - Default
    • 2.7.0
    • Affects Version/s: None
    • Component/s: None
    • None

      // given

      • One tab with a valid Optimize user session
      • One tab with a link that contains a forged request against Optimize

      // when
      I execute a forged request against optimize

      // then
      my valid user session in Optimize expires

      // hint
      the forged request will be blocked, so no CSRF attack is possible
      the response header of the forged request contains the following header:

      Set-Cookie: X-Optimize-Authorization=;Version=1;Comment="delete cookie";Path=/;Max-Age=0;HttpOnly
Content-Length: 0

      the forged request is hidden in the following html doc

      <html><body>

<img src="http://127.0.0.1:8090/api/collection?orderBy=created" width="0" height="0">

</body></html>

            Assignee:
            Unassigned
            Reporter:
            Michael Schoettes
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: