18.5.1 Timeouts

One issue is that the expected CSRF token is stored in the HttpSession, so as soon as the HttpSession expires your configured AccessDeniedHandler will receive a InvalidCsrfTokenException. If you are using the default AccessDeniedHandler, the browser will get an HTTP 403 and display a poor error message.

One might ask why the expected CsrfToken isn’t stored in a cookie by default. This is because there are known exploits in which headers (i.e. specify the cookies) can be set by another domain. This is the same reason Ruby on Rails no longer skips CSRF checks when the header X-Requested-With is present. See this webappsec.org thread for details on how to perform the exploit. Another disadvantage is that by removing the state (i.e. the timeout) you lose the ability to forcibly terminate the token if it is compromised.

A simple way to mitigate an active user experiencing a timeout is to have some JavaScript that lets the user know their session is about to expire. The user can click a button to continue and refresh the session.

Alternatively, specifying a custom AccessDeniedHandler allows you to process the InvalidCsrfTokenException any way you like. For an example of how to customize the AccessDeniedHandler refer to the provided links for both xml and Java configuration.

Finally, the application can be configured to use CookieCsrfTokenRepository which will not expire. As previously mentioned, this is not as secure as using a session, but in many cases can be good enough.

https://docs.spring.io/spring-security/site/docs/4.2.3.RELEASE/reference/htmlsingle/#csrf-timeouts

What is the best way to handle Invalid CSRF token found in the request when session times out in Spring security

The easiest way I found to handle invalidate CSRF token when session times out at the login page is one of the followings:

  1. Redirect the request again to the login page again vi CustomAccessDeniedHandler:

    static class CustomAccessDeniedHandler extends AccessDeniedHandlerImpl{

    @Override
    
    public void handle(HttpServletRequest request,
    
            HttpServletResponse response,

  AccessDeniedException accessDeniedException)
    
    throws IOException, ServletException {
    
if (accessDeniedException instanceof MissingCsrfTokenException
    
        || accessDeniedException instanceof InvalidCsrfTokenException) {

    if(request.getRequestURI().contains("login")){
    
        response.sendRedirect(request.getContextPath()+"/login");
    
    }
    
}

super.handle(request, response, accessDeniedException);

 }
    
}

  2. Add refresh header as Neil McGuigan suggested:

<meta http-equiv="refresh" content="${pageContext.session.maxInactiveInterval}">

  1. Furthermore you must create a bean for the new CustomAccessDeniedHandler and register it. The following example shows this for Java config.

In any config class:

@Bean

public AccessDeniedHandler accessDeniedHandler() {

    return new CustomAccessDeniedHandler();

}

In your security config modify the configure method as follows:

@Override

protected void configure(final HttpSecurity http) throws Exception {

    http

      // ...

      .and()

      .exceptionHandling().accessDeniedHandler(accessDeniedHandler());

}

Also see here.

a more Optimum solution will be for Spring security to handle this situation in their framework.

https://stackoverflow.com/questions/32446903/what-is-the-best-way-to-handle-invalid-csrf-token-found-in-the-request-when-sess

未找到预期的CSRF令牌。您的会话已过期403
https://gxnotes.com/article/245164.html

Spring Security – Customize the 403 Forbidden/Access Denied Page
http://www.baeldung.com/spring-security-custom-access-denied-page

What is the best way to handle Invalid CSRF token found in the request when session times out in Spring security的更多相关文章

  1. Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'

    Spring Security :HTTP Status 403-Invalid CSRF Token 'null' was found on the request parameter '_csrf ...

  2. Spring Security Oauth2 使用 token 访问资源服务器出现异常:Invalid token does not contain resource id (oauth2)

    异常如图 查看资源服务器的日志 p.a.OAuth2AuthenticationProcessingFilter : Authentication request failed: error=&quo ...

  3. Cross Site Request Forgery (CSRF)--spring security -转

    http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html 13. Cross ...

  4. Java 安全之:csrf防护实战分析

    上文总结了csrf攻击以及一些常用的防护方式,csrf全称Cross-site request forgery(跨站请求伪造),是一类利用信任用户已经获取的注册凭证,绕过后台用户验证,向被攻击网站发送 ...

  5. CSRF 详解:攻击,防御,Spring Security应用等

    本文原创,更多内容可以参考: Java 全栈知识体系.如需转载请说明原处. CSRF(Cross-site request forgery跨站请求伪造,也被称成为"one click att ...

  6. SpringSecurity基本使用

    SpringSecurity web 安全管理框架 需要依赖多 shiro 轻量 SSM+Shiro SpringBoot/SpringCloud+SpringSecurity 配置用户名密码 配置文 ...

  7. 执行CSRF令牌所有形式使用POST方法

    从而在并未授权的情况下执行在权限保护之下的操作,有很大的危害性. php CSRF Guardfunction csrfguard_generate_token($unique_form_name){ ...

  8. Spring Security4.1.3实现拦截登录后向登录页面跳转方式(redirect或forward)返回被拦截界面

    一.看下内部原理 简化后的认证过程分为7步: 用户访问网站,打开了一个链接(origin url). 请求发送给服务器,服务器判断用户请求了受保护的资源. 由于用户没有登录,服务器重定向到登录页面 填 ...

  9. Spring Security(三十六):12. Spring MVC Test Integration

    Spring Security provides comprehensive integration with Spring MVC Test Spring Security提供与Spring MVC ...

随机推荐

  1. FNDCPASS Troubleshooting Guide For Login and Changing Applications Passwords

    In this Document   Goal   Solution   1. Error Starting Application Services After Changing APPS Pass ...

  2. linux服务搭建----ssh服务开启

    //ssh  服务     ssh 192.168.88.254         如何开启   service sshd restart     关掉该服务 servicesshd stop     ...

  3. C++中的new/delete

    不同于C语言中的malloc/free是库函数,C++语言中的new/delete是运算符,而不是库函数. new/delete执行流程 我们经常会接触到的是new/delete operator(就 ...

  4. OpenCV手写数字字符识别(基于k近邻算法)

    摘要 本程序主要参照论文,<基于OpenCV的脱机手写字符识别技术>实现了,对于手写阿拉伯数字的识别工作.识别工作分为三大步骤:预处理,特征提取,分类识别.预处理过程主要找到图像的ROI部 ...

  5. Jfinal调用Orcale存储过程

    因为项目需要,最近一直在学习Orcale存储过程,但发现在网上很少有人写Jave中Jfinal调用Orcale存储过程的文章,即使有也是几年前的,很多都不能用,今天给大家分享一段Jfinal调用Orc ...

  6. permutations(全排列)

    Given a collection of distinct numbers, return all possible permutations. For example,[1,2,3] have t ...

  7. java基础语法(二)--单列模式

    java基础语法(二)--单列模式 /** * 功能:单列模式 * @author Administrator * */ public class SingletonTest { public sta ...

  8. 双机热备ROSE HA工作原理

    双机热备ROSE HA工作原理 当双机热备软件启动后,ROSE HA首先启动HA Manager管理程序,根据高可靠性系统的配置结构初始化,然后启动必要的服务和代理程序来监控和管理系统服务.HA代理程 ...

  9. Install OpenCV 3.0 and Python 2.7+ on Ubuntu

    为了防止原文消失或者被墙,转载留个底,最好还是去看原贴,因为随着版本变化,原贴是有人维护升级的 http://www.pyimagesearch.com/2015/06/22/install-Open ...

  10. Web运营手记

    1.图片是给活人用户看的,相对来讲,文字是给搜索引擎看的.精华内容争取要在网站或者频道主页里面让人看到. 2.搜索引擎喜欢看的几种文字:页面标题.关键词元信息(只有Bing管点用).描述(descri ...