Bug #41169

Routing Cache caches csrf protection tokens

Added by Christian Müller over 8 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Should have
Category:
MVC - Routing
Target version:
-
Start date:
2012-09-21
Due date:
% Done:

0%

Estimated time:
PHP Version:
Has patch:
No
Complexity:

Description

If you look at the saved urls in routing cache files you will see that csrf protection tokens are cached in there, which is not very useful.

#2

Updated by Christian Müller over 8 years ago

  • Assignee set to Bastian Waidelich
#3

Updated by Bastian Waidelich about 8 years ago

  • Status changed from New to Closed

For the match case (incoming) the RouterCaching aspect only caches the route path (excluding any query arguments).
For resolve (outgoing) the aspect stores all values passed to Router::resolve() no matter what internal meaning they have and that seems correct to me.
The actual issue was IMO that the CSRF token was part of those $routeValues in the first place (added by CsrfProtectionAspect::addCsrfTokenToUri()).

I'm closing this bug for now because the issue is is fixed with #47252 and the bug is not critical to be backported to older branches IMO

Also available in: Atom PDF