How long is Spring temporary CSRF token expiration time?

spring session csrf
12,277

creates a new definitive JSESSIONID and a new session-based CSRF token

this is a session fixation strategy.

there are at least 2 strategies for CSRFToken generation.

  1. per session
  2. per request

The default behaviour should be per session. It means that as long as session would be alive one and only CSRFToken would be bound to it (but this can be changed). after successful authentication, because of session fixation, a new session would be created with new CSRFToken.

Thus, if I ask the CSRF token than wait a few minutes and finally try to login, the CSRF token may have expîred and I will have to ask another one

this is wrong. it would stay as long as session would be active.

I couldn't find how to configure the temporary Spring session expiration time and I couldn't find what was its exact default duration

temporary session is called temporary, because it would be valid until authentication and would be replaced by a new one. But same timeout policy is applied to them as for common session. you can configure session-timeout in web.xml using session-config. the default value of Tomcat is 30 minutes.

Share:
12,277
singe3
Author by

singe3

Updated on June 15, 2022

Comments

  • singe3
    singe3 almost 2 years

    I enabled CSRF with spring security and it is working as expected.

    I read Spring official documentation about CSRF http://docs.spring.io/spring-security/site/docs/3.2.7.RELEASE/reference/htmlsingle/#csrf

    I also read this tutorial about CSRF with Spring and AngularJS http://www.codesandnotes.be/2015/07/24/angularjs-web-apps-for-spring-based-rest-services-security-the-server-side-part-2-csrf/

    What Spring Security does is that it sets up a temporary session for that. So basically it goes like this:

    1. The client asks a token with an OPTIONS request.
    2. The server creates a temporary session, stores the token and sends back a JSESSIONID and the token to the client.
    3. The client submits the login credentials using that JSESSIONID and CSRF token.
    4. The server matches the CSRF stored for the received JSESSIONID and, if all is green-lighted, creates a new definitive JSESSIONID and a new session-based CSRF token for the client to validate its requests after the login.

    As I have understood, when you are not logged in, you can get your first CSRF token by sending an OPTIONS request on any API endpoint, for example /api/login

    Spring will then create a CSRF token bound to a temporary session (temporary CSRF and JSESSIONID cookies)

    Thus, if I ask the CSRF token than wait a few minutes and finally try to login, the CSRF token may have expîred and I will have to ask another one.

    I couldn't find how to configure the temporary Spring session expiration time and I couldn't find what was its exact default duration.

    Does anyone has any information about that ?

  • singe3
    singe3 about 8 years
    Thank you but it seems that you are wrong, because I have configured the session to last 24 hours (1440 min in web.xml). When I am authenticated, it effectively lasts 24 hours, so it's fine. However when I am not authenticated, the session only lasts for a few minutes, so there must be something else, maybe an hardcorded timeout for unauthenticated sessions.
  • hahn
    hahn about 8 years
    @singe3 I have a few questions: 1) have you done anything to spring config? 2) how JSESSIONID and CSRFToken are returned from a server (as cookie (what is exp time) and/or response body)?
  • singe3
    singe3 about 8 years
    No I didn't change spring default config about csrf token. I solved my problem in the front-end by making an OPTIONS request on the login endpoint just before the login POST in order to retrieve a fresh token. My token is sent to the client as a custom header because It's cross domain so I can't read a cookie from Javascript.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Spring RestTemplate session
Invalid CSRF Token in POST request
Spring + Hibernate session management across multiple threads
maintain state with spring between requests
How to pass session id as part of Soap request?
Help catching session timeout in spring
Spring Security session timeout is too short
How to configure Hazelcast for session caching using spring while limiting it to a set of nodes?
Hibernate spring annotation sessions not being closed/flushed
How to add csrf token to the html form?