-
assigned issue to
- marked as enhancement
- marked as minor
Invalid CSRF check
Issue #495
resolved
Checking token in cookies with Str_startsWith(cookie, "securitytoken=")
is inappropriate, because there is may be other cookies, and their order is not guaranteed.
Comments (6)
-
repo owner -
Yep. For now. But I can't agree with you that it's not a bug. Our problem is that we're using same TLD for monit and many other services: we have few google-analytics scripts installed on same domain as monit (more precisely we have domain avs.io, with GA set up on it, and monit on src1.int.avs.io), and GA sets cookies on entire domain, not caring about others.
-
repo owner - changed status to resolved
Fixed: Issue
#495: position independent CSRF cookie value→ <<cset f9a9a7a92c92>>
-
Wow! It was fast! Thank you.
-
repo owner Issue
#535was marked as a duplicate of this issue. -
repo owner Issue
#732was marked as a duplicate of this issue. - Log in to comment
There is currently only one cookie set by monit.