Multiple Pub instances / csrf filter

24 views
Skip to first unread message

Christoph Damm

unread,
Dec 26, 2022, 2:11:08 AM12/26/22
to Abridged recipients
Hello,
As far as I can see the default hmaccsrftoken is requiring sticky sessions in a multiple Pub instances scenario as it makes use of the instanceUuid. Is thata correct assumption?
The nature of my app would but require stickyness as I do not store any data in the session, thus I assumed I don't need it.
I also only have forms build with form builder, no login forms.
Wondering what the best solution would be:
Add stickyness?
Bypass filter for the form? 
Change csrftoken implementation?

Glad for any advice,

Cheers
Chris

Christoph Damm

unread,
Dec 27, 2022, 7:34:36 AM12/27/22
to Magnolia User Mailing List
Hello,
after looking a bit closer into the topic I am not sure what the desired setup really would be:
1) I do not have a jsessionid anyways, so can't make anything sticky....but
2) if i use the form module i get a jsessionid (guess form module stores data, just in case it would be a multistep form, mine isn't however).
Hence I am not sure if or how the CsrfTokenFilter is meant to be used in a multi instance setup?
Or should I write my own which would not use the instanceuuid (also i am not sure where else this uuid has an effect).

Thanks for any hints and regards

Christoph

Roman Kovařík

unread,
Jan 2, 2023, 5:06:30 AM1/2/23
to Magnolia User Mailing List, christo...@gmail.com
Hi Christoph,

I'd not expect the CSRF to use a session attribute if session doesn't exist already but a fallback to a cookie instead.
I might be related to https://jira.magnolia-cms.com/browse/MGNLPN-512, as country trait uses session by default. You might try to change it to be request scoped only.

Regards
Roman

Michael Dürig

unread,
Jan 12, 2023, 3:08:05 AM1/12/23
to Magnolia User Mailing List, Roman Kovařík, christo...@gmail.com
Hi,

Magnolia's CSRF tokens always include the server Id and require it to match regardless whether the token is stored in the session or the cookie. So yes, in a multi instance setup you would need to use sticky sessions.

However, IIUC your using Vaadin for your forms. In this case Vaadin has its own CSRF protection mechanism already and it should be safe to disable the one from Magnolia.

Michael

Michael Dürig

unread,
Jan 16, 2023, 5:36:10 AM1/16/23
to Magnolia User Mailing List, Michael Dürig, Roman Kovařík, christo...@gmail.com

Hi,

Another approach that comes to mind is to ensure all you public instances share the same instanceUuid (Configuration / server/instanceUuid). See also https://docs.magnolia-cms.com/product-docs/6.2/Administration/Instances/Creating-a-new-public-instance.html#_copying_a_public_instance

Michael
Reply all
Reply to author
Forward
0 new messages