I enabled CSRF with spring security and it is working as expected.
I read Spring official documentation about CSRF http://docs.spring.io/spring-security/site/docs/3.2.7.RELEASE/reference/htmlsingle/#csrf
I also read this tutorial about CSRF with Spring and AngularJS http://www.codesandnotes.be/2015/07/24/angularjs-web-apps-for-spring-based-rest-services-security-the-server-side-part-2-csrf/
What Spring Security does is that it sets up a temporary session for that. So basically it goes like this:
- The client asks a token with an OPTIONS request.
- The server creates a temporary session, stores the token and sends back a JSESSIONID and the token to the client.
- The client submits the login credentials using that JSESSIONID and CSRF token.
- The server matches the CSRF stored for the received JSESSIONID and, if all is green-lighted, creates a new definitive JSESSIONID and a new session-based CSRF token for the client to validate its requests after the login.
As I have understood, when you are not logged in, you can get your first CSRF token by sending an OPTIONS request on any API endpoint, for example /api/login
Spring will then create a CSRF token bound to a temporary session (temporary CSRF and JSESSIONID cookies)
Thus, if I ask the CSRF token than wait a few minutes and finally try to login, the CSRF token may have expîred and I will have to ask another one.
I couldn't find how to configure the temporary Spring session expiration time and I couldn't find what was its exact default duration.
Does anyone has any information about that ?
A CSRF token is not an access token and does not have a lifetime like bearer tokens do. They are generated using session information. CSRF adds additional information to your requests that lets the server verify the requests comes from an authorized location. They don't have to be session-related.
To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.
3.1 Enabling CSRF Token in Spring Securitydisable() in your Spring security config class. With default setup, if you look at the source code of the page, you will see the _csrf parameter being added automatically to the form by Spring security.
Make sure tokens can't be reused. Expire them after a short amount of time. Verify the received token is the same as the set token in a safe way, for example, compare hashes. Do not send CSRF tokens in HTTP GET requests.
creates a new definitive JSESSIONID and a new session-based CSRF token
this is a session fixation strategy.
there are at least 2 strategies for CSRFToken generation.
The default behaviour should be per session
. It means that as long as session would be alive
one and only CSRFToken would be bound to it (but this can be changed).
after successful authentication, because of session fixation, a new session would be created with new CSRFToken.
Thus, if I ask the CSRF token than wait a few minutes and finally try to login, the CSRF token may have expîred and I will have to ask another one
this is wrong. it would stay as long as session would be active.
I couldn't find how to configure the temporary Spring session expiration time and I couldn't find what was its exact default duration
temporary session
is called temporary
, because it would be valid until authentication and would be replaced by a new one. But same timeout policy is applied to them as for common
session. you can configure session-timeout
in web.xml
using session-config
. the default value of Tomcat
is 30 minutes.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With