Bug #41169

Routing Cache caches csrf protection tokens

Added by Christian Müller about 9 years ago. Updated over 8 years ago.

Should have
MVC - Routing
Target version:
Start date:
Due date:
% Done:


Estimated time:
PHP Version:
Has patch:


If you look at the saved urls in routing cache files you will see that csrf protection tokens are cached in there, which is not very useful.


Updated by Christian Müller almost 9 years ago

  • Assignee set to Bastian Waidelich

Updated by Bastian Waidelich over 8 years ago

  • Status changed from New to Closed

For the match case (incoming) the RouterCaching aspect only caches the route path (excluding any query arguments).
For resolve (outgoing) the aspect stores all values passed to Router::resolve() no matter what internal meaning they have and that seems correct to me.
The actual issue was IMO that the CSRF token was part of those $routeValues in the first place (added by CsrfProtectionAspect::addCsrfTokenToUri()).

I'm closing this bug for now because the issue is is fixed with #47252 and the bug is not critical to be backported to older branches IMO

Also available in: Atom PDF