What is the best way to handle Invalid CSRF token found in the request when session times out in Spring security
2017-09-09 18:32
866 查看
18.5.1 Timeouts
One issue is that the expected CSRF token is stored in the HttpSession, so as soon as the HttpSession expires your configured
A simple way to mitigate an active user experiencing a timeout is to have some JavaScript that lets the user know their session is about to expire. The user can click a button to continue and refresh the session.
Alternatively, specifying a custom
Finally, the application can be configured to use CookieCsrfTokenRepository which will not expire. As previously mentioned, this is not as secure as using a session, but in many cases can be good enough.
https://docs.spring.io/spring-security/site/docs/4.2.3.RELEASE/reference/htmlsingle/#csrf-timeouts
What is the best way to handle Invalid CSRF token found in the request when session times out in Spring security
The easiest way I found to handle invalidate CSRF token when session times out at the login page is one of the followings:
Redirect the request again to the login page again vi CustomAccessDeniedHandler:
Add refresh header as Neil McGuigan suggested:
Furthermore you must create a bean for the new CustomAccessDeniedHandler and register it. The following example shows this for Java config.
In any config class:
In your security config modify the configure method as follows:
Also see here.
a more Optimum solution will be for Spring security to handle this situation in their framework.
https://stackoverflow.com/questions/32446903/what-is-the-best-way-to-handle-invalid-csrf-token-found-in-the-request-when-sess
未找到预期的CSRF令牌。您的会话已过期403 https://gxnotes.com/article/245164.html
Spring Security – Customize the 403 Forbidden/Access Denied Page http://www.baeldung.com/spring-security-custom-access-denied-page
One issue is that the expected CSRF token is stored in the HttpSession, so as soon as the HttpSession expires your configured
AccessDeniedHandlerwill receive a InvalidCsrfTokenException. If you are using the default
AccessDeniedHandler, the browser will get an HTTP 403 and display a poor error message.
One might ask why the expected CsrfTokenisn’t stored in a cookie by default. This is because there are known exploits in which headers (i.e. specify the cookies) can be set by another domain. This is the same reason Ruby on Rails no longer skips CSRF checks when the header X-Requested-With is present. See this webappsec.org thread for details on how to perform the exploit. Another disadvantage is that by removing the state (i.e. the timeout) you lose the ability to forcibly terminate the token if it is compromised. |
Alternatively, specifying a custom
AccessDeniedHandlerallows you to process the
InvalidCsrfTokenExceptionany way you like. For an example of how to customize the
AccessDeniedHandlerrefer to the provided links for both xml and Java configuration.
Finally, the application can be configured to use CookieCsrfTokenRepository which will not expire. As previously mentioned, this is not as secure as using a session, but in many cases can be good enough.
https://docs.spring.io/spring-security/site/docs/4.2.3.RELEASE/reference/htmlsingle/#csrf-timeouts
What is the best way to handle Invalid CSRF token found in the request when session times out in Spring security
The easiest way I found to handle invalidate CSRF token when session times out at the login page is one of the followings:
Redirect the request again to the login page again vi CustomAccessDeniedHandler:
static class CustomAccessDeniedHandler extends AccessDeniedHandlerImpl{ @Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { if (accessDeniedException instanceof MissingCsrfTokenException || accessDeniedException instanceof InvalidCsrfTokenException) { if(request.getRequestURI().contains("login")){ response.sendRedirect(request.getContextPath()+"/login"); } } super.handle(request, response, accessDeniedException); } }
Add refresh header as Neil McGuigan suggested:
<meta http-equiv="refresh" content="${pageContext.session.maxInactiveInterval}">
Furthermore you must create a bean for the new CustomAccessDeniedHandler and register it. The following example shows this for Java config.
In any config class:
@Bean public AccessDeniedHandler accessDeniedHandler() { return new CustomAccessDeniedHandler(); }
In your security config modify the configure method as follows:
@Override protected void configure(final HttpSecurity http) throws Exception { http // ... .and() .exceptionHandling().accessDeniedHandler(accessDeniedHandler()); }
Also see here.
a more Optimum solution will be for Spring security to handle this situation in their framework.
https://stackoverflow.com/questions/32446903/what-is-the-best-way-to-handle-invalid-csrf-token-found-in-the-request-when-sess
未找到预期的CSRF令牌。您的会话已过期403 https://gxnotes.com/article/245164.html
Spring Security – Customize the 403 Forbidden/Access Denied Page http://www.baeldung.com/spring-security-custom-access-denied-page
相关文章推荐
- What is the best way to paginate results in SQL Server
- What is the best way to implement a heartbeat in C++ to check for socket connectivity?
- vs2005下出现“Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive”的解决方法
- 【cas、spring-security】The error indicates the the CAS server is trying to post the single sign out re
- What's the best way to hide a tab in a TabNavigator?
- What is the best way to create a good interface to an abstraction?
- Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive
- Is there any best way to reduce the size of ibdata in mysql.?
- Read Notify is the fastest, easiest, most reliable way to find out when email you've sent gets read.
- 005:What's the best way to iterate over the items in a HashMap?
- What is the Best Programming Language to Learn in 2014?
- what is the best way to reduce stress?
- Q:Is there any way to define what the "Open Resource" dialog in Eclipse should show?
- Whats the best way to split an array in ruby into multiple smaller arrays of random size
- What is the best way to calculate a checksum for a file that is on my machine?
- What is the fastest, case insensitive, way to see if a string contains another string in C#?
- Disaster Recovery: What to do when the SA account password is lost in SQL Server 2005
- When the nofile is set to unlimited in /etc/security/limits.conf file the user cannot login
- Symfony2 'The CSRF token is invalid. Please try to resubmit the form' 错误
- The best way to be "right once" is to have the ability to envision what things are going to look like three weeks, three months