Links for users without a session are not CSRF checked

By chx on 3 July 2016

Change record status:

Draft (View all draft change records)

Project:

Drupal core

Introduced in branch:

8.1.x

Issue links:

https://www.drupal.org/node/2730351

Description:

Routes with the _csrf_token requirement always failed the CSRF check if there was no session started because the CSRF seed was not stored anywhere. Now the CSRF token will only be added to the link if the user has a session irregardless whether they are logged in or not.

Links for users without a session are not CSRF checked

News items

Our community

Documentation

Drupal code base

Governance of community