问题
I am implementing CSRF protection using Spring security as per the doc
One question I have is: When this token will get invalidated by the Spring security? Does the token gets invalidated for each request submit?
回答1:
By default the CSRF token is stored in the HTTP session and is generated on a per-session basis. See the official Spring Security documentation for more details. Therefore, the default lifecycle of CSRF tokens is the session duration.
Like everything else in Spring Security, the storage and retrieval of CSRF tokens can be customized to suit individual needs. The way to do that would involve creating an implementation for CsrfTokenRepository. Custom implementations could change the token on a per request basis, store the token in a relational database, and so on.
来源:https://stackoverflow.com/questions/26866529/spring-csrf-token-life