« Previous | Next » 

Revision e015570e

IDe015570ebd0baf0c6cc8967305724c8762214e8f
Parent fbb242a6
Child 1ed0a672

Added by Bastian Waidelich about 7 years ago

[BUGFIX] Start session when fetching a CSRF token

This change adds a ``@Flow\Session(autoStart=true)`` annotation to the
method ``Security\Context::getCsrfProtectionToken()``.

Background:

Currently ``CSRF`` tokens are bound to a session. Thus fetching a token
without starting a session makes no sense because the token will be
invalid on the next request.

In the long run we might be able to create "stateless" CSRF tokens that
don't require a session.

Change-Id: Ic7eaf07db4f42f41430effaf7939ce7ca1fd1175
Related: FLOW-130
Releases: master, 2.3, 2.2, 2.1
Depends: I896f6a722445deede1f0a656ea73db04f0d2e978

  • added
  • modified
  • copied
  • renamed
  • deleted