- **labels**: security, sf-current, sf-2 --> security, sf-2
--- ** [tickets:#7893] CSRF checks don't work on login** **Status:** closed **Milestone:** unreleased **Labels:** security sf-2 **Created:** Mon Jun 08, 2015 07:38 PM UTC by Dave Brondsema **Last Updated:** Tue Jun 09, 2015 05:28 PM UTC **Owner:** Dave Brondsema `CSRFMiddleware` deletes all cookies (including login session) if CSRF checks fail. However that doesn't stop a forged login since there isn't a session cookie yet anyway. The login continues and you are logged in. Also we have no tests for CSRF functionality. --- Sent from forge-allura.apache.org because [email protected] is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
