Magnolia CORE 5.6.14 is the last maintenance release in the 5.6 branch, which reached end of life on June 25, 2020. This is a bug-fixing and security release that delivers the following:

Stateless protection against login CSRF attack

A stateless technique is now used to protect against any login CSRF attack. See Double Submit Cookie for more information.

When requesting a Magnolia login page before a session is created after authentication, a CSRF token is temporarily kept in a cookie in the client browser. That token is generated with each GET request before login. When the login form is submitted to the server with a POST request, the cookie token is matched against the value coming from the request.

To improve security, a salted hash is used for the cookie so that an attacker will not be able to re-create the cookie value from the plain token without knowledge of the server secrets.

MAGNOLIA-7660 (restricted access)

Configurable sameSite attribute for JSESSIONID cookie

For added security, the sameSite attribute can be configured for the JSESSIONID cookie. In Tomcat 8.5.42+, add the following to the conf/context.xml file:

<CookieProcessor sameSiteCookies="strict"/>

A strict value for sameSiteCookies is now the default in all Tomcat bundles. See Cookie Processor Component for more information.

MGNLTOMCAT-15 (restricted access)

Debug mode for SMTP Session

In the Mail module, a debug property has been added to SmtpConfiguration. To debug javax.mail.Session, set the property to true. See SMTP Session debugging for more information.


Third-party library updates

This release comes with the following third-party library updates to fix some security and compatibility issues:

We keep the details of the security-related fixes private in line with our security policyContact our Support team if you need more information.

Notable bug fixes

The following issues have been resolved where:

  • In the Backup module, Magnolia failed to start upon restore due to incompatibility with H2 1.4.200 (MGNLBACKUP-136).
  • In the Cache moduleCacheResponseWrapper did not retrieve contentType correctly (MGNLCACHE-38).
  • In the Content Dependencies module, reference properties were ignored when resolving dependencies (MGNLCDEP-90).

  • In the Publishing module, nodes appeared in the wrong order after publishing a single page (PUBLISHING-79).

    This issue was previously addressed in PUBLISHING-62. If you no longer experience problems with published node order, you should not upgrade to Publishing 1.0.10.

    On the author instance, editors can move nodes to change the order in which they are stored in JCR. Since Magnolia does not track node order history, it is impossible to keep the same order of nodes on the public instance if you publish just one node that has been moved on the author instance. To make sure that the orders of nodes on both instances are aligned, always publish the parent node of any nodes you moved.

  • In the REST Content Delivery module, invalid JSON was produced whenever a reference resolver that was applied to a list returned Optional.Empty() (MGNLREST-227).

  • In the Scheduler module, all programmatically added jobs were deleted on restart (MGNLSCH-64).
  • In the Synchronization module, synchronizing the same node more than once failed because the target node was locked on the public instance (MGNLSYNC-42).
  • In the Task Management module, performance slowed down as more tasks were added. To improve performance, you need to reindex the tasks workspace using the new task-specific indexing configuration (TASKMGMT-41).


If you are upgrading from an earlier version, read Upgrading to Magnolia 5.6.x first and check the Known issues section on the page.

Deprecated requestor properties replaced

The properties ATTRIBUTE_REQUESTOR of info.magnolia.context.Context and requestor of info.magnolia.task.Task have been deprecated in favor of ATTRIBUTE_USERNAME and userName respectively.


Deprecated Content API classes replaced

The PropertyExistsDelegateTask and PropertyValueDelegateTask classes of the legacy Content API have been replaced with HasPropertyDelegateTask and ValueOfPropertyDelegateTask respectively.



See the 5.6.14 changelog for all the changes.

Updated modules

  • Backup 2.2.5
  • Barebones Tomcat Bundle 1.0.4
  • Blossom 3.2.3
  • Cache 5.6.4
  • Community Edition 5.6.14
  • Content Dependencies 1.8.2
  • Diff 2.0.1
  • Enterprise Edition 5.6.14
  • Magnolia 5.6.13
  • Mail 5.5.5
  • Publishing 1.0.10
  • REST Framework 2.1.6
  • Scheduler 2.3.4
  • Site 1.2.4
  • Synchronization 1.8.3
  • Task Management 1.2.8
  • Third-party library BOM 5.6.10
  • UI 5.6.13


The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Le Bao Duy, Stefan Baur, Tytgat Christian, Philip Mundt and Diana Racho.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels