Different csrf token per request in Spring security

7
votes

I am using <csrf/> tag in my spring security xml file for a web project. And sending csrf token in a form:

<form action="" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>

But on intercepting the request through BurpSuite i am getting same csrf token on every request till the session persist.

Is there any way i could send different csrf token per request than per session in spring security.

I am using 3.2.4 spring security jars.

1
javaspringspring-securitycsrfcsrf-protection

1 Answers

7
votes

Default duration of CSRF tokens is the session duration. The CSRF token is stored in the HTTP session and is therefore generated on a per-session basis. Check Spring Security documentation on CSRF for more details.

Spring Security can be extended to suit individual needs, so it can be extended for your purpose.

But, this extension influences usability:

  1. Opening web app in the second tab will cause the session breaks in one or both tabs.
  2. The 'back' button on submitted forms might cause some strange errors.