CSRF token not validated
|Knowledge Article Number||000214441|
|Description||CSRF tokens are unique and validated on GET/POST requests to ensure there is no cross site requests being made in Salesforce. Once a request is made, the auto generated token is validated to confirm if the request is from the UI and not an intiated request from another site.
Independent of when the CSRF settings are enabled, in what instances is this token not validated?
|Resolution||CSRF tokens are only validated when the acting end user has a valid session Id. This meaning that in the instance of a public community or Force.com site, all users are Guest users. As of Winter 15, for security purposes, Guest users no longer had generated Session Ids.
Given that the site is public and all users would have the same privileges, there should be no actions that a guest user should have that is not intended and could perform a malicious attack. Given that the security is controlled by the Guest profile access level, these are no requirement to provide a session id and validate CSRF tokens.