Bug #41169
Routing Cache caches csrf protection tokens
| Status: | Closed | Start date: | 2012-09-21 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | Bastian Waidelich | % Done: | 0% |
|
| Category: | MVC - Routing | |||
| Target version: | - | |||
| PHP Version: | Complexity: | |||
| Has patch: | No | Affected Flow version: | Git master |
Description
If you look at the saved urls in routing cache files you will see that csrf protection tokens are cached in there, which is not very useful.
History
#1 Updated by Karsten Dambekalns over 2 years ago
- Affected Flow version changed from Git 1.2 (master) to Git master
#2 Updated by Christian Müller over 2 years ago
- Assigned To set to Bastian Waidelich
#3 Updated by Bastian Waidelich about 2 years ago
- Status changed from New to Closed
For the match case (incoming) the RouterCaching aspect only caches the route path (excluding any query arguments).
For resolve (outgoing) the aspect stores all values passed to Router::resolve() no matter what internal meaning they have and that seems correct to me.
The actual issue was IMO that the CSRF token was part of those $routeValues in the first place (added by CsrfProtectionAspect::addCsrfTokenToUri()).
I'm closing this bug for now because the issue is is fixed with #47252 and the bug is not critical to be backported to older branches IMO