Expected CSRF token not found Spring Security

Question

This is the scenario:

I'm using Spring Security 4.0.1, which has CSRF enabled by default, and everything was working OK until yesterday.

Yesterday I added Spring Security Tags, and the login (and other forms were working fine) but a special form stopped working.

This form is multipart because uploads two files, this form has the CSRF parameter but the server is returning :

HTTP Status 403 - Expected CSRF token not found. Has your session expired?

This is basically the form:

<form id="documentForm" class="card-panel" method="POST" enctype="multipart/form-data" action="<c:url value="/documents/signDocument?${_csrf.parameterName}=${_csrf.token}"/>">
  <input type="file" name="document"/>
  <input type="text" name="signer"/>
 </form>

Of course this is a completely cut-off version of the form, but notice the CSRF parameter is being sent through the action URL. And yes, I've tried putting the CSRF parameter in a hidden input with the same result.

On a side note, this form can be accessed as Anonymous User

To avoid putting the token in the URL, you can add the token in meta tags in the HTML header, then add it to the XHR request header, like I described here stackoverflow.com/questions/21514074/… — Andrei Epure is hiring

Stefan Isele - prefabware.com Stefan Isele - prefabware.com · Accepted Answer · 2016-12-18T13:13:59

The exception you are facing is thrown in

org.springframework.security.web.csrf.CsrfFilter#doFilterInternal

Place a breakpoint there and you can see the expected csrf token for the current session, as well as the token received from header or request parameter.

This error may also happen, if the correct session was not found, or session cookie is wrong, so you may need to check for that also.

Expected CSRF token not found Spring Security

1 Answers