[keycloak-user] CSRF vulnerability in Keycloak account service

Dear Keycloak Community, Though there is a CSRF token used in the Keycloak Account service, there is *CSRF token fixation vulnerability*. To prevent CSRF, a cookie named KEYCLOAK_STATE_CHECKER is used (CSRF defense method: "Double submit cookie"). The CSRF token is required to be unique for each session. But, as this cookie accepts user-agent provided value at login and doesn't clear the cookie at logout, the value of the CSRF token is same across sessions, for the users using the same user-agent. This vulnerability can be exploited by an attacker to steal this cookie from the victim's browser, even when there is no active victim session. And then, the value can be used by the attacker to perform the CSRF attack. The impact of this attack can be as bad as an attacker taking over as the admin of the IDP and exploiting any application hosted using this IDP service. A fix for the issue was requested at the below link, but it is deleted now, for no known reason : https://developer.jboss.org/thread/275577 My questions are: 1. Why was my fix request deleted? 2. If I fix the vulnerability (by initializing cookie KEYCLOAK_STATE_CHECKER at every login), it would be difficult to carry forward the code changes, for every new update from the JBoss community. How to manage such local fixes? 3. If there can be a work-around to the problem? https://stackoverflow.com/questions/45481833/csrf-vulnerability-in-keyclo...