How long is Spring temporary CSRF token expiration time?
creates a new definitive JSESSIONID and a new session-based CSRF token
this is a session fixation strategy.
there are at least 2 strategies for CSRFToken generation.
The default behaviour should be per session
. It means that as long as session would be alive
one and only CSRFToken would be bound to it (but this can be changed).
after successful authentication, because of session fixation, a new session would be created with new CSRFToken.
Thus, if I ask the CSRF token than wait a few minutes and finally try to login, the CSRF token may have expîred and I will have to ask another one
this is wrong. it would stay as long as session would be active.
I couldn't find how to configure the temporary Spring session expiration time and I couldn't find what was its exact default duration
temporary session
is called temporary
, because it would be valid until authentication and would be replaced by a new one. But same timeout policy is applied to them as for common
session. you can configure session-timeout
in web.xml
using session-config
. the default value of Tomcat
is 30 minutes.
singe3
Updated on June 15, 2022Comments
-
singe3 almost 2 years
I enabled CSRF with spring security and it is working as expected.
I read Spring official documentation about CSRF http://docs.spring.io/spring-security/site/docs/3.2.7.RELEASE/reference/htmlsingle/#csrf
I also read this tutorial about CSRF with Spring and AngularJS http://www.codesandnotes.be/2015/07/24/angularjs-web-apps-for-spring-based-rest-services-security-the-server-side-part-2-csrf/
What Spring Security does is that it sets up a temporary session for that. So basically it goes like this:
- The client asks a token with an OPTIONS request.
- The server creates a temporary session, stores the token and sends back a JSESSIONID and the token to the client.
- The client submits the login credentials using that JSESSIONID and CSRF token.
- The server matches the CSRF stored for the received JSESSIONID and, if all is green-lighted, creates a new definitive JSESSIONID and a new session-based CSRF token for the client to validate its requests after the login.
As I have understood, when you are not logged in, you can get your first CSRF token by sending an OPTIONS request on any API endpoint, for example /api/login
Spring will then create a CSRF token bound to a temporary session (temporary CSRF and JSESSIONID cookies)
Thus, if I ask the CSRF token than wait a few minutes and finally try to login, the CSRF token may have expîred and I will have to ask another one.
I couldn't find how to configure the temporary Spring session expiration time and I couldn't find what was its exact default duration.
Does anyone has any information about that ?
-
singe3 about 8 yearsThank you but it seems that you are wrong, because I have configured the session to last 24 hours (1440 min in web.xml). When I am authenticated, it effectively lasts 24 hours, so it's fine. However when I am not authenticated, the session only lasts for a few minutes, so there must be something else, maybe an hardcorded timeout for unauthenticated sessions.
-
hahn about 8 years@singe3 I have a few questions: 1) have you done anything to spring config? 2) how JSESSIONID and CSRFToken are returned from a server (as cookie (what is exp time) and/or response body)?
-
singe3 about 8 yearsNo I didn't change spring default config about csrf token. I solved my problem in the front-end by making an OPTIONS request on the login endpoint just before the login POST in order to retrieve a fresh token. My token is sent to the client as a custom header because It's cross domain so I can't read a cookie from Javascript.