Menu
I am using <csrf/> tag in my spring security xml file for a web project. And sending csrf token in a form:
<form action="" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
But on intercepting the request through BurpSuite i am getting same csrf token on every request till the session persist.
Is there any way i could send different csrf token per request than per session in spring security.
I am using 3.2.4 spring security jars.
427
The webserver needs a mechanism to determine whether a legitimate user generated a request via the user's browser to avoid such attacks. A CSRF token helps with this by generating a unique, unpredictable, and secret value by the server-side to be included in the client's HTTP request.
The CSRF token sent in the state parameter is the "client side" of your usual CSRF token (the one you put in a hidden input field on your forms). Since the CSRF token will (by design) be sent in GET requests, it's advisable to make them unique and not reuse them.
Typically, this token is the same throughout the session, but in some circumstances it is more secure to rotate CSRF tokens often, or make them specific to the form they are on.
To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.
Default duration of CSRF tokens is the session duration. The CSRF token is stored in the HTTP session and is therefore generated on a per-session basis. Check Spring Security documentation on CSRF for more details.
Spring Security can be extended to suit individual needs, so it can be extended for your purpose.
But, this extension influences usability:
77
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
