Spring CSRF token life

About

Asked 11/11, 2014 at 13:55 Answered 12/11, 2014 at 9:11

Solved java spring-security csrf-protection

I am implementing CSRF protection using Spring security as per the doc

One question I have is: When this token will get invalidated by the Spring security? Does the token gets invalidated for each request submit?

Eruptive answered 11/11, 2014 at 13:55 Comment(0)

By default the CSRF token is stored in the HTTP session and is generated on a per-session basis. See the official Spring Security documentation for more details. Therefore, the default lifecycle of CSRF tokens is the session duration.

Like everything else in Spring Security, the storage and retrieval of CSRF tokens can be customized to suit individual needs. The way to do that would involve creating an implementation for CsrfTokenRepository. Custom implementations could change the token on a per request basis, store the token in a relational database, and so on.

Knesset answered 12/11, 2014 at 9:11 Comment(2)

Thank You. Since the default life span of the CSRF token is session, during this active session time a CSRF attacker link can attack my site right? [I mean, if I click on an attacker link while the session is active] – Eruptive 12/11, 2014 at 11:48

No, that is the scenario CSRF protection is for. If you happen to visit a malicious site while you have an active session on an important website, the malicious site cannot submit requests to the important website successfully. This is because the attacker will not have the CSRF token for the session and therefore forged requests will be rejected. – Knesset 13/11, 2014 at 14:46

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags