Different csrf tokens for each request in Spring Security

Question

Different csrf tokens for each request in Spring Security

I am using the <csrf/> in the spring security xml file for a web project. And sends the csrf token in the form:

 <form action="" method="post"> <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> </form>

But when intercepting the request through BurpSuite, I get the same csrf token for each request until the session is saved.

Is there a way to send a different csrf token for each request than per spring security session.

I use 3.2.4 spring security banks.

+5

java spring spring-security csrf csrf-protection

Shailesh yadav Mar 07 '16 at 13:04

source share

1 answer

user987339 · Answer 1 · 2016-03-07T13:25:57+0000

The default value for CSRF tokens is the duration of the session. The CSRF token is stored in an HTTP session and is therefore generated for each session. For details, Spring CSRF Security Documentation .

Spring Security can be expanded to suit individual needs, so it can be expanded for your purpose.

But this extension affects usability:

Opening the web application in the second tab will lead to the termination of the session on one or both tabs.
The back button on the submitted forms may cause some strange errors.

Different csrf tokens for each request in Spring Security

More articles: