spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Documentation about CSRF and cookies is confusing

Open wujek-srujek opened this issue 2 years ago • 0 comments

Reading https://docs.spring.io/spring-security/reference/features/exploits/csrf.html for 5.7.2 one can read (https://docs.spring.io/spring-security/reference/features/exploits/csrf.html#csrf-protection-stp):

...
Requiring the actual CSRF token in a cookie does not work because cookies are automatically included in the HTTP request by the browser.
...

Then, under https://docs.spring.io/spring-security/reference/features/exploits/csrf.html#csrf-considerations-timeouts one can read:

...
Finally, the expected CSRF token could be stored in a cookie. This allows the expected CSRF token to outlive the session.
...

These statements seem to be contradicting. Should the CRSF token be put into a cookie in addition to the previously recommended HTTP parameter or an HTTP header?

wujek-srujek avatar Jul 21 '22 14:07 wujek-srujek