1

I have research in SE about this issues and not found the answer to resolve the problem occur.

From my problem of view, every time I logout the session in web and open the new tab, this error always trigger . I think the session management not allow the csrf token to be exposed in another tab in browser.

When I trace the JSESSIONID in chrome cookies console,it shows that no response given compared to normal successful login which give response of JSESSIONID.

This is my login page form:

<form name='loginForm' action="<c:url value='/login' />" method="post">
        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
        <div id="username_input">
            <div id="username_inputleft"></div>
            <div id="username_inputmiddle">                 
                <input type="text" name="username" id="url" placeholder="<spring:message code="login.name" />" >
                <img id="url_user" src="<c:url value="/resources/images/login/mailicon.png"/>" alt="">              
            </div>
            <div id="username_inputright"></div>
        </div>
        <div id="password_input">
            <div id="password_inputleft"></div>
            <div id="password_inputmiddle">                 
                <input type="password" name="password" id="url" placeholder="<spring:message code="login.password" />" >
                <img id="url_password" src="<c:url value="/resources/images/login/passicon.png"/>" alt="">              
            </div>
            <div id="password_inputright"></div>
        </div>
        <div id="submit">               
            <input type="image" src="<c:url value="/resources/images/login/submit_hover.png"/>" id="submit1"  value="Sign In" />                
            <input type="image" src="<c:url value="/resources/images/login/submit.png"/>" id="submit2"  value="Sign In"/>               
        </div>          
        </form>

I think the problem was from session management in my security configuration here:

.sessionManagement()
        .sessionFixation()
        .newSession()
        .maximumSessions( 1 );

but somehow I cannot solve the problem. I hope someone can help.

Update:

I logout by using this link:

<a href="<c:url value="/logout" />">
 <spring:url value="/resources/images/logout.jpg" var="logoutimg" />
 <img src="${logoutimg}">
 <spring:url value="/resources/images/logout_txt.jpg" var="logouttxtimg" />
 <img class="hidden-xs" src="${logouttxtimg}" />
</a>
FreezY
  • 1,641
  • 2
  • 18
  • 31
  • Another tab isn't a new session it is the same session. Also HOW are you doing the logout? Show the link/form you are using. – M. Deinum Dec 08 '15 at 07:44
  • I think new tab also dont affect session, but it does'nt work only when i open same link in new tab, it work normally on same tab – FreezY Dec 08 '15 at 07:56
  • You will need a new browser else everything will be shared. So you need to use Chrome and Firefox for instance (or shutdown chrome first). Opening a new tab, or clicking a link is the same it isn't a new browser. – M. Deinum Dec 08 '15 at 07:58
  • When using CSFR you cannot logout using a link, you will need a form posting to the logout link to include the CSFR token. – M. Deinum Dec 08 '15 at 08:01
  • Yup, open in new browser,or restart the current browser also work as normal, so does it mean I cannot use 2 tab with same URL and always need to restart or open new browser to make it work? – FreezY Dec 08 '15 at 08:03
  • You cannot have 2 different sessions in 2 browser tabs as that isn't how browsers work. – M. Deinum Dec 08 '15 at 08:05
  • can you give me some example to properly logout by using CSFR? – FreezY Dec 08 '15 at 08:05
  • That is simply explained in the spring security reference guide. – M. Deinum Dec 08 '15 at 08:06
  • Ok,thanks for your help :) – FreezY Dec 08 '15 at 08:08

2 Answers2

0

For some reason, we need to use the /logout or /j_spring_security_logout to log the current user out. If we use another method to logout programmatically, the logout process will not complete unless I using the url provided. Thanks for help. If someone come out with the solution to logout programmtically completely without affecting the spring security, please tell me then. Thanks

FreezY
  • 1,641
  • 2
  • 18
  • 31
0

Try this in your controller 

@RequestMapping("/Logout")
public ModelAndView processLogout(HttpServletRequest request, HttpServletResponse response) {
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != null) {
        new SecurityContextLogoutHandler().logout(request, response, auth);
    }
    mv = new ModelAndView();
    mv.setViewName("Login");
    return mv;
}

And in your login page insert 

<input type="hidden" name="${_csrf.parameterName}"
                    value="${_csrf.token}" />

Don't forget to add this to your security configuration 

<security:logout delete-cookies="JSESSIONID"
        logout-success-url='/login?logout' logout-url="/Logout"
        invalidate-session="true" />
tlili_souf
  • 11
  • 3