Remove XSRF cookie

This was a contentious change is generally a bad idea to blanket all requests with a dependant cookie. We will try something else. Revert enableXsrfCookies setting. Fixes UX issue introduced where the token expires. This should be replaced by a CSRF policy that determines whether this is needed on the front end.
2019-11-04 09:06:05 +11:00 · 2019-11-04 09:06:05 +11:00 · 8da798a5cd
parent c5bd5f0e0a
commit 8da798a5cd
3 changed files with 4 additions and 28 deletions
--- a/config/cms.php
+++ b/config/cms.php
@ -381,19 +381,6 @@ return [

    'enableCsrfProtection' => true,

-    /*
-    |--------------------------------------------------------------------------
-    | Automatic XSRF Cookies
-    |--------------------------------------------------------------------------
-    |
-    | Automatically provide and process an XSRF cookie to the browser to
-    | support CSRF protection on all AJAX requests without having to add
-    | an explicit CSRF token to the frontend markup
-    |
-    */
-
-    'enableXsrfCookies' => true,
-
    /*
    |--------------------------------------------------------------------------
    | Force bytecode invalidation
--- a/modules/backend/classes/Controller.php
+++ b/modules/backend/classes/Controller.php
@ -174,13 +174,6 @@ class Controller extends Extendable
            return Response::make(Lang::get('system::lang.page.invalid_token.label'), 403);
        }

-        if (
-            Config::get('cms.enableCsrfProtection', true) &&
-            Config::get('cms.enableXsrfCookies', true)
-        ) {
-            $this->setResponseCookie($this->makeXsrfCookie());
-        }
-
        /*
         * Check forced HTTPS protocol.
         * @see \System\Traits\SecurityController
--- a/modules/cms/classes/Controller.php
+++ b/modules/cms/classes/Controller.php
@ -148,19 +148,15 @@ class Controller

        /*
         * Check security token.
+         *
+         * Note: Ignore AJAX requests until a CSRF policy introduced.
+         *
         * @see \System\Traits\SecurityController
         */
-        if (!$this->verifyCsrfToken()) {
+        if (!Request::ajax() && !$this->verifyCsrfToken()) {
            return Response::make(Lang::get('system::lang.page.invalid_token.label'), 403);
        }

-        if (
-            Config::get('cms.enableCsrfProtection', true) &&
-            Config::get('cms.enableXsrfCookies', true)
-        ) {
-            $this->setResponseCookie($this->makeXsrfCookie());
-        }
-
        /*
         * Hidden page
         */