Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Rolling deployments, sessions, and CSRF protection

Former Member

on ‎2018 Apr 04 6:39 PM

0 Likes
398

Dear experts, et. al.,

I have a philosophical question about rolling deployment and session management. Let us say that the following scenario takes place:

  • A user logs in to the shop and gets a session which will be valid for two weeks, he adds items to his cart

  • We add CSRF protection, which from now on requires that all HTTP requests that send a POST will require a token. These changes are deployed using rolling deployments

The question here is, what happens to the user's session and the items in the cart? If the session is somehow persisted, then he will not have the CSRF token and all the POST HTTP requests that he sends will end in 403, until he gets a new session. So the question again is, when a rolling deployment takes place, do sessions stay intact?

Any help will be greatly appreciated!

Kind regards,

L

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

andyfletcher
Active Contributor
‎2018 Apr 09 8:01 PM
0 Likes

I don't believe that this how Hybris default basket persistence works. You don't keep a long running session (because that's going kill your application server keeping all those sessions in memory). Instead there is a cookie with the name <site-uid>-cart that contains the uuid of your cart. When you return to the site with a new session then this is used to restore your cart from db. So in your situation you'd get a new session and CSRF token when viewing the page after a restart but your cart would be restored into that new session. When it would fail is if the server you were on is restarted after the page is rendered with the CSRF token in it and before you pressing submit. Then you'd be bounced to a new server, get a new session, and CSRF validation would fail. I'm assuming here that you are using sticky sessions but if you've got some sort of session sharing then it would probably work ok as has said in his comment.

Show replies
Show replies
Former Member
‎2018 Apr 04 6:52 PM
0 Likes

It's so funny, my first attempt to answer this gave me a CSRF token error on this form. First, 2 weeks for session timeout seems incredibly large. But the scenario you present is also valid for reasonable session timeouts under one hour, so here are my thoughts. Session replication should be the solution here if CSRF token is stored in the session. If it is not, I encourage you to open a support ticket, however I think you may be able to customize your solution to store the CSRF token in the session if OOTB session replication for 6.3 and up does not provide that. Have you tried this, and you know for sure session replication does not work in this scenario?

Show replies
Show replies
Former Member
‎2018 Apr 04 6:56 PM
0 Likes

Thank you for the info. But the basic question is: when a rolling deployment takes place, do sessions stay intact?

Former Member
‎2018 Apr 04 6:58 PM
0 Likes

If you persist them in a session store(session replication OOTB stores sessions in hybris database) and if your new build does not alter session attributes in a destructive way they should stay intact.

Ask a Question