« Previous | Next » 

Revision 7908073f

ID7908073ffe878555a5a71b42443b2ecf239bdb39
Parent c56b7803
Child 8687bfb8

Added by Bastian Waidelich over 7 years ago

[BUGFIX] Start session when fetching a CSRF token

This change adds a ``@Flow\Session(autoStart=true)`` annotation to the
method ``Security\Context::getCsrfProtectionToken()``.

Background:

Currently ``CSRF`` tokens are bound to a session. Thus fetching a token
without starting a session makes no sense because the token will be
invalid on the next request.

In the long run we might be able to create "stateless" CSRF tokens that
don't require a session.

Change-Id: Ic7eaf07db4f42f41430effaf7939ce7ca1fd1175
Related: FLOW-130
Releases: master, 2.3, 2.2, 2.1
Depends: I896f6a722445deede1f0a656ea73db04f0d2e978

  • added
  • modified
  • copied
  • renamed
  • deleted