« Previous | Next » 

Revision 408919f4

ID408919f486ffd78b0f8e38dd00e8e3ddd5601d0d
Parent 2497220c
Child 1d7f93e6

Added by Bastian Waidelich almost 7 years ago

[BUGFIX] Start session when fetching a CSRF token

This change adds a ``@Flow\Session(autoStart=true)`` annotation to the
method ``Security\Context::getCsrfProtectionToken()``.

Background:

Currently ``CSRF`` tokens are bound to a session. Thus fetching a token
without starting a session makes no sense because the token will be
invalid on the next request.

In the long run we might be able to create "stateless" CSRF tokens that
don't require a session.

Change-Id: Ic7eaf07db4f42f41430effaf7939ce7ca1fd1175
Related: FLOW-130
Releases: master, 2.3, 2.2, 2.1
Depends: I896f6a722445deede1f0a656ea73db04f0d2e978

  • added
  • modified
  • copied
  • renamed
  • deleted