Heartbeat/keep-alive service to refresh CSRF token

Question

We have an Angular web application fully service oriented and the ng-front end is consuming the REST web services via ng-services (so far standard). To avoid any automatic POST request from bots or programs we are using a CSRF (Cross-site request forgery) Token which is server validated and after 15 mins expires.

The problem: if we have long sessions on the same page without reloading, the token expires (for example during fairies or because of long forms).

The idea is to build a keep-alive service (heartbeat) to 'refresh' automatically in background the session (until the customer browser is open).

Any idea? best practice? Thanks

score 2 · Accepted Answer · answered Apr 19 '16 at 07:22

Create a keep-alive service on the backend to refresh the

 @RequestMapping(value = "/api/keep-alive", method = RequestMethod.GET)
    public boolean keepAlive() {
        //TODO refresh token session
        return true;
    }

In your main controller place:

 var v = setInterval(function () {
         currentlyFetching = $http.get('api/keep-alive');
  }, 15 * 1000);

And your keep-alive/heartbeat service is in place.

Heartbeat/keep-alive service to refresh CSRF token

1 Answers1