Fix csrf token generation in LoginController::loginAction #437
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
While working in admin interface in one browser tab, then opening another one via
/admin/login
or a deeplinkadmin/login/deeplink?object_29_object
, the csrf token gets regenerated with$force = true
. If you switch back to the first browser tab, the csrf token is not valid anymore, you get anAccess denied
error and have to reload the admin interface completely.Expected behavior
Working on multiple tabs is possible without reloading the admin interface (some changes might get lost otherwise)
Actual behavior
In the first browser tab you see the following error, when saving an element (or doing something else)
In the logs you see:
[2024-02-23T11:03:43.679029+01:00] security.ERROR: Detected CSRF attack on /admin/object/save {"request":"/admin/object/save"} []
Changes in this pull request
First check, if there is already a csrf token set in the session. If no csrf token can be found, then regenerate with
$force = true
inLoginController::loginAction