CSRF check always fails for users without a session

Created on 20 May 2016, almost 9 years ago
Updated 30 January 2023, about 2 years ago

Problem/Motivation

Any route using the _csrf_token requirement doesn't work for users without session because the CSRF checker fails as the CSRF seed is not stored anywhere.

Proposed resolution

Only add a CSRF token if a session is started.

Remaining tasks

User interface changes

Flag supports anonymous users (and there was much rejoicing).

API changes

CsrfAccessCheck constructor requires a new argument but it's a service so noone should be constructing it anyways.

Data model changes

None.

๐Ÿ› Bug report
Status

Needs work

Version

10.1 โœจ

Component
Request processingย  โ†’

Last updated 5 days ago

No maintainer
Created by

๐Ÿ‡จ๐Ÿ‡ฆCanada chx

Live updates comments and jobs are added and updated live.
  • Contributed project blocker

    It denotes an issue that prevents porting of a contributed project to the stable version of Drupal due to missing APIs, regressions, and so on.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupalโ€™s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the โ€œReport a security vulnerabilityโ€ link in the project pageโ€™s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024