Hi
We are developing a B2B site using the Hybris Version 6.1.0.1.
Security verification team raised an concern that the CSRF tokens are not getting regenerated for different users and is remaining the same. User 1 logs in has Token 1 and log out. User 2 logs in and has the same Token 1. I think they might have used the same browser window.
Is this really an issue as Token is random generated and the validation of the token is done by the CSRFHandlerInterceptor.
In Our Codebase we have the default values on the "csrf.allowed.url.patterns" and also the spring-mvc-config.xml the bean properties are not commented out as directed in the help documentation.
Please let know so that i can provide some valid explanation to the security team.
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.