Fix CSRF validation for duplicate cookie values on PATCH
This commit is contained in:
@@ -137,6 +137,7 @@ Recommended LIVE pattern:
|
||||
- `VITE_ALLOWED_HOSTS` only affects development mode where Vite is running.
|
||||
- API auth cookies support optional domain and SameSite configuration through `AUTH_COOKIE_DOMAIN` and `AUTH_COOKIE_SAMESITE`.
|
||||
- HTTPS cookie security detection falls back to `PUBLIC_BASE_URL` scheme when proxy headers are missing.
|
||||
- CSRF validation accepts header matches against any `dcm_csrf` cookie value in the request, covering stale plus fresh duplicate-cookie transitions.
|
||||
- Session authentication is cookie-based; browser reloads and new tabs can reuse an active session until it expires or is revoked.
|
||||
- Protected media and file download flows still use authenticated fetch plus blob/object URL handling.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user