Invalid CSRF check

Issue #495 resolved
Former user created an issue

Checking token in cookies with Str_startsWith(cookie, "securitytoken=") is inappropriate, because there is may be other cookies, and their order is not guaranteed.

Comments (6)

  1. Andrey Yantsen

    Yep. For now. But I can't agree with you that it's not a bug. Our problem is that we're using same TLD for monit and many other services: we have few google-analytics scripts installed on same domain as monit (more precisely we have domain, with GA set up on it, and monit on, and GA sets cookies on entire domain, not caring about others.

  2. Log in to comment