Description
Noticed that the ShellServlet doesn't include any sort of CSRF token to prevent an attack, but just uses the state of the session to determine authentication.
I believe this means that the servlet is potentially vulnerable to a csrf attack. CORS protects against the majority of this, I haven't been able to come up with a plausible vector for an actual attack yet, but it would be good to clean up.