« Previous | Next » 

Revision 2aacf2ea

Parent 4b675cdb

Added by Bastian Waidelich about 7 years ago

[BUGFIX] Render Form CSRF token field only if authenticated

Currently ``CSRF`` tokens are only enforced if an account is
authenticated. But the form ViewHelper rendered the corresponding
hidden field for all forms with method != "GET".


Rendering the hidden field did not have a side effect before but as
CSRF tokens only make sense with an active session,
``Security\Context::getCsrfProtectionToken()`` will be adjusted to start
a session when called. Therefore the token should only be fetched if it's
really required.

Change-Id: I896f6a722445deede1f0a656ea73db04f0d2e978
Related: FLOW-130
Releases: master, 2.3, 2.2, 2.1

  • added
  • modified
  • copied
  • renamed
  • deleted