Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9304

Concurrent creation of CSRF token is not synchronized

    Details

      Description

      When concurrent requests (related to the same http session) try to generate a CSRF token, then for each request a CSRF token is generated, whereby the last one wins and is stored in the http session.

      The creation of CSRF tokens should be synchronized [1], like

      if (session.getAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME) == null) {
      
        synchronized(<session_mutex>) {
          if (session.getAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME) == null) {
            // TODO...
          }
        }
      }
      

      To synchronize a "session mutex" could be used.

      [1]: https://github.com/camunda/camunda-bpm-webapp/blob/14f8f94f7381f62566bca3a92e9aa87aa4f520b7/src/main/java/org/camunda/bpm/webapp/impl/security/filter/CsrfPreventionFilter.java#L203-L217

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            michael.schoettes Michael Schoettes
            Reporter:
            roman.smirnov Smirnov Roman
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development