tildeslash / Monit / issues / #495 - Invalid CSRF check — Bitbucket

Issue #495 resolved

Former user created an issue 2016-11-02

Checking token in cookies with Str_startsWith(cookie, "securitytoken=") is inappropriate, because there is may be other cookies, and their order is not guaranteed.

Comments (6)

Tildeslash repo owner
- assigned issue to
  
  Tildeslash
- marked as enhancement
- marked as minor
There is currently only one cookie set by monit.
- 2016-11-02T07:19:43+00:00
Andrey Yantsen
Yep. For now. But I can't agree with you that it's not a bug. Our problem is that we're using same TLD for monit and many other services: we have few google-analytics scripts installed on same domain as monit (more precisely we have domain avs.io, with GA set up on it, and monit on src1.int.avs.io), and GA sets cookies on entire domain, not caring about others.
- 2016-11-02T07:27:20+00:00
Tildeslash repo owner
- changed status to resolved
Fixed: Issue ~~#495~~: position independent CSRF cookie value

→ <<cset f9a9a7a92c92>>
- 2016-11-02T10:08:05+00:00
Andrey Yantsen
Wow! It was fast! Thank you.
- 2016-11-02T10:10:54+00:00
Tildeslash repo owner
Issue ~~#535~~ was marked as a duplicate of this issue.
- 2017-01-07T07:52:15+00:00
Tildeslash repo owner
Issue ~~#732~~ was marked as a duplicate of this issue.
- 2018-04-04T16:55:42+00:00
Log in to comment

Assignee: Tildeslash

Type: enhancement

Priority: minor

Status: resolved

Component: Monit

Version: –

Votes: 0

Watchers: 3