发表新帖
发表新帖

CSRF token expires during login

前端 未结
关注
4 2461
挽巷
挽巷 2021-02-01 08:57

I\'m working on Spring web application and I need to avoid problem with expire csrf token on login page, because if user is waiting too long and try to login only one way to res

4条回答
  • 盖世英雄少女心
    盖世英雄少女心 (楼主)
    2021-02-01 09:35

    Recommended solution

    I would say that you should not disable csrf tokens on a production site. You may make session (and thus the csrf token) last longer (but it usually should not last longer than a day, especially for not-logged-in users as it is a DOS vector), but the real solution may be to automatically refresh the login page when the csrf token expires. You may use a

    in your login page header. If the user lets the login page sit for hours, it should not bother him that the page got refreshed.

    Second solution

    A possible solution which does not require you to actually store sessions but allows for infinite timeout is that you can generate your csrf tokens with hashing from the session id and a server-side secret:

    csrf = hash(sessionid+secret)

    Note however that you need to really dig and override spring-security internal mechanisms, namely:

    • re-creating anonymous sessions on the fly if a request arrives and no such session exists
    • re-creating the csrf token on the fly from the session id

    And choose a very secure hashing algorithm, preferably sha-512.

    Third solution

    You could have a small javascript that calls a no-op page on your server regularly (just before the session timeout), thus extending your session. This results in infinite session timeout only if the browser is on all the time, so the DOS aspect is mitigated.

    Ok, one last solution

    You can alter the CSRF token checking code, and disable it for the login page. This is actually synonymous with the second solution, but is specific for the login page, not generally for all anonymous sessions.

    You can do this e.g. by setting a custom RequestMatcher in HttpSecurity:

    http.csrf().requireCsrfProtectionMatcher(new MyCsrfRequestMatcher());
...
class MyCsrfRequestMatcher implements RequestMatcher {
    @Override
    public boolean matches(HttpServletRequest request) {
        return !request.getServletPath().equals("/login");
    }
}

    0 讨论(0)
 看不清?
提交回复
热议问题