Invalid CSRF check

Issue #495 resolved
Anonymous created an issue

Checking token in cookies with Str_startsWith(cookie, "securitytoken=") is inappropriate, because there is may be other cookies, and their order is not guaranteed.

Comments (6)

  1. Andrey Yantsen

    Yep. For now. But I can't agree with you that it's not a bug. Our problem is that we're using same TLD for monit and many other services: we have few google-analytics scripts installed on same domain as monit (more precisely we have domain avs.io, with GA set up on it, and monit on src1.int.avs.io), and GA sets cookies on entire domain, not caring about others.

  2. Log in to comment