Login/Register
Different csrf token per request in Spring security
Asked Answered
javaspringspring-securitycsrfcsrf-protection
T

1

9

I am using <csrf/> tag in my spring security xml file for a web project. And sending csrf token in a form:

<form action="" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>

But on intercepting the request through BurpSuite i am getting same csrf token on every request till the session persist.

Is there any way i could send different csrf token per request than per session in spring security.

I am using 3.2.4 spring security jars.

Tc answered 7/3, 2016 at 13:4 Comment(0)
S
8

Default duration of CSRF tokens is the session duration. The CSRF token is stored in the HTTP session and is therefore generated on a per-session basis. Check Spring Security documentation on CSRF for more details.

Spring Security can be extended to suit individual needs, so it can be extended for your purpose.

But, this extension influences usability:

  1. Opening web app in the second tab will cause the session breaks in one or both tabs.
  2. The 'back' button on submitted forms might cause some strange errors.
Shorthanded answered 7/3, 2016 at 13:25 Comment(2)
in my application after landing on web-app i have two tabs and first tab data will be displayed by default. Since i am using <form:form> I could see csrf token present on this page. If i go to tab2 which is a GET call to get the data and come back to tab1 which is again GET call. On the first tab if click on any button which does the post call to backend. Here the post call is failing and getting 403 forbidden error with message "Expected CSRF token not found. Has your session expired" . Any help hereWitten
@Kiran, you probably need to create a new question rather than a comment. You should probably include some working code as an example so people can help you debug the problem.Rabbit

© 2022 - 2024 — McMap. All rights reserved.