Hello,
we're running a Magnolia CE websites with some forms. Some of them are quite long (5-6 pages) and have a lot of fields. Sometimes users get a "you are not allowed to submit, possibly the sessions has expired" message when submitting the form longer than 30 minutes after opening the form (which regarding the requested details in the form could happen). Sounds like a tomcat timeout.
So we tried to keep the tomcat session alive for longer. But we did not change the tomcat session timeout time but use an ajax get request to tell the server on form pages that the user is still active (we do that for max 2 hours). This keeps the tomcat session alive (and we see the same JSESSIONID after like 45 minutes). This solution is working on another Magnolia instance (but this is Magnolia DXP and heavily customized form submit).
But even though the tomcat session is still alive, the form submit still fails with the same problem. This is strange. Why is the form submit invalid after 30 minutes? Our guess is, that the csrf token is no longer available in the session. But why and what can we do to keep the form submittable after longer times than 30 minutes?
We're running Magnolia CE 6.2.17, but tried this with even the newest Magnolia version (6.2.24). There is some change to the csrf handling in Magnolia 6.2.23 (details are not known), that seem to have no impact regarding this problem. With the Magnolia community demo webapp you can start it and open the contact-page. After 35 minutes submit it and you will get that "not allowed" error. You could even load other pages in a different browser tab in between (to keep the session alive) - submitting the form is still not possible. Sometimes we have the behaviour that another page (which has no form on it) has a response cookie "csrf" with a new value. We guess that setting a different csrf cookie value would cause the problem. Because now the csrf value sent in the form submit payload is different from the csrf cookie value.
Why is the csrf-token sent in a cookie? In the description to CsrfCookieTokenFilter there is a link to this page:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookieIf you scroll up a little bit there is a bold sentence: "CSRF tokens should not be transmitted using cookies".
The basis question is: how can we allow a form to be submitted after more than 30 minutes (or whatever the exact timeout is?)?
Best regards,
Sebastian