Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9304

Concurrent creation of CSRF token is not synchronized

    Details

    • Type: Bug Report
    • Status: In Progress
    • Priority: L3 - Default
    • Resolution: Unresolved
    • Affects Version/s: 7.10.0-alpha3, 7.10.0-alpha4
    • Fix Version/s: 7.10.0, 7.7.10, 7.8.12, 7.9.7
    • Component/s: webapp
    • Labels:

      Description

      When concurrent requests (related to the same http session) try to generate a CSRF token, then for each request a CSRF token is generated, whereby the last one wins and is stored in the http session.

      The creation of CSRF tokens should be synchronized [1], like

      if (session.getAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME) == null) {
      
        synchronized(<session_mutex>) {
          if (session.getAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME) == null) {
            // TODO...
          }
        }
      }
      

      To synchronize a "session mutex" could be used.

      [1]: https://github.com/camunda/camunda-bpm-webapp/blob/14f8f94f7381f62566bca3a92e9aa87aa4f520b7/src/main/java/org/camunda/bpm/webapp/impl/security/filter/CsrfPreventionFilter.java#L203-L217

        Issue Links

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              nikola.koevski Nikola Koevski
              Reporter:
              roman.smirnov Smirnov Roman
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Development