Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How long is Spring temporary CSRF token expiration time?

I enabled CSRF with spring security and it is working as expected.

I read Spring official documentation about CSRF http://docs.spring.io/spring-security/site/docs/3.2.7.RELEASE/reference/htmlsingle/#csrf

I also read this tutorial about CSRF with Spring and AngularJS http://www.codesandnotes.be/2015/07/24/angularjs-web-apps-for-spring-based-rest-services-security-the-server-side-part-2-csrf/

What Spring Security does is that it sets up a temporary session for that. So basically it goes like this:

  1. The client asks a token with an OPTIONS request.
  2. The server creates a temporary session, stores the token and sends back a JSESSIONID and the token to the client.
  3. The client submits the login credentials using that JSESSIONID and CSRF token.
  4. The server matches the CSRF stored for the received JSESSIONID and, if all is green-lighted, creates a new definitive JSESSIONID and a new session-based CSRF token for the client to validate its requests after the login.

As I have understood, when you are not logged in, you can get your first CSRF token by sending an OPTIONS request on any API endpoint, for example /api/login

Spring will then create a CSRF token bound to a temporary session (temporary CSRF and JSESSIONID cookies)

Thus, if I ask the CSRF token than wait a few minutes and finally try to login, the CSRF token may have expîred and I will have to ask another one.

I couldn't find how to configure the temporary Spring session expiration time and I couldn't find what was its exact default duration.

Does anyone has any information about that ?

like image 882
singe3 Avatar asked Feb 17 '16 14:02

singe3


People also ask

How long are CSRF tokens valid for?

A CSRF token is not an access token and does not have a lifetime like bearer tokens do. They are generated using session information. CSRF adds additional information to your requests that lets the server verify the requests comes from an authorized location. They don't have to be session-related.

How does CSRF work in spring?

To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.

How do you get a CSRF token in spring?

3.1 Enabling CSRF Token in Spring Securitydisable() in your Spring security config class. With default setup, if you look at the source code of the page, you will see the _csrf parameter being added automatically to the form by Spring security.

Can CSRF tokens be reused?

Make sure tokens can't be reused. Expire them after a short amount of time. Verify the received token is the same as the set token in a safe way, for example, compare hashes. Do not send CSRF tokens in HTTP GET requests.


1 Answers

creates a new definitive JSESSIONID and a new session-based CSRF token

this is a session fixation strategy.

there are at least 2 strategies for CSRFToken generation.

  1. per session
  2. per request

The default behaviour should be per session. It means that as long as session would be alive one and only CSRFToken would be bound to it (but this can be changed). after successful authentication, because of session fixation, a new session would be created with new CSRFToken.

Thus, if I ask the CSRF token than wait a few minutes and finally try to login, the CSRF token may have expîred and I will have to ask another one

this is wrong. it would stay as long as session would be active.

I couldn't find how to configure the temporary Spring session expiration time and I couldn't find what was its exact default duration

temporary session is called temporary, because it would be valid until authentication and would be replaced by a new one. But same timeout policy is applied to them as for common session. you can configure session-timeout in web.xml using session-config. the default value of Tomcat is 30 minutes.

like image 164
hahn Avatar answered Oct 05 '22 00:10

hahn