1

There is a form with POST method and csrf_token = '1' (for brevity).

After the session timeout, I submit the form and get redirected to login page. After logging in, I can see the old token (in the request) and the new generated token ('2') in CsrfFilter (in the debugger). Since these don't match, I get an InvalidCsrfTokenException and then a 403 error.

How should Spring normally behave in this case?

I checked these posts:

but they both look like workarounds. Is there no better option? Why wouldn't the Spring team include one of them as a default?

skwisgaar
  • 880
  • 2
  • 13
  • 31
  • The point of a CSRF token is to prevent CSRF attacks. This basically entails storing a token in the user session, which by the premise of your question, has expired, and thus, is gone. Both the "workarounds" in the questions you linked to are viable options. – Phil Oct 15 '16 at 11:20
  • We ran into this same issue and resolved it using a custom `AccessDeniedHandler` (see https://stackoverflow.com/a/47399348/225217) – Brice Roncace Nov 20 '17 at 20:42

0 Answers0