Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Different csrf token per request in Spring security

I am using <csrf/> tag in my spring security xml file for a web project. And sending csrf token in a form:

<form action="" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>

But on intercepting the request through BurpSuite i am getting same csrf token on every request till the session persist.

Is there any way i could send different csrf token per request than per session in spring security.

I am using 3.2.4 spring security jars.

like image 427
Shailesh Yadav Avatar asked Mar 07 '16 13:03

Shailesh Yadav


People also ask

Is CSRF token unique per request?

The webserver needs a mechanism to determine whether a legitimate user generated a request via the user's browser to avoid such attacks. A CSRF token helps with this by generating a unique, unpredictable, and secret value by the server-side to be included in the client's HTTP request.

Can a CSRF token be used more than once?

The CSRF token sent in the state parameter is the "client side" of your usual CSRF token (the one you put in a hidden input field on your forms). Since the CSRF token will (by design) be sent in GET requests, it's advisable to make them unique and not reuse them.

Is CSRF token always same?

Typically, this token is the same throughout the session, but in some circumstances it is more secure to rotate CSRF tokens often, or make them specific to the form they are on.

How CSRF token is implemented in spring?

To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.


1 Answers

Default duration of CSRF tokens is the session duration. The CSRF token is stored in the HTTP session and is therefore generated on a per-session basis. Check Spring Security documentation on CSRF for more details.

Spring Security can be extended to suit individual needs, so it can be extended for your purpose.

But, this extension influences usability:

  1. Opening web app in the second tab will cause the session breaks in one or both tabs.
  2. The 'back' button on submitted forms might cause some strange errors.
like image 77
user987339 Avatar answered Oct 29 '22 00:10

user987339