spring-session icon indicating copy to clipboard operation
spring-session copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Programmatically Disable CSRF for x-auth-token

Open rwinch opened this issue 10 years ago • 2 comments

We should provide a way for Spring Session to programmatically disable Spring Security's CSRF support on requests in which x-auth-token is used for establishing the session.

We could perhaps disable CSRF in Spring Security when:

  • x-auth-token is provided
  • No cookies are present (specifically JSESSIONID, but remember the cookie name can be configured)

We should be mindful of how this works in a CORS scenario.

If changes are made to Spring Security we should be mindful of how this will work in an OAuth Scenario

rwinch avatar Sep 08 '15 20:09 rwinch

Hi @rwinch . Just wanted to check what's the team's preference on this issue since I'm working on a REST service code base accepting GET and POST requests. So I don't know what's the recommended setting when using x-auth-token in a Spring Session based REST service.

Should I handle both tokens on the client side? Thanks!

jjzazuet avatar Apr 28 '17 15:04 jjzazuet

Found some bits of discussion here: http://stackoverflow.com/questions/36697478/csrf-protection-and-spring-session-header-session-strategy/43363213

Thanks!

jjzazuet avatar Apr 28 '17 15:04 jjzazuet