0

I'm trying to implement Tomcats CSRF protection filter for my web app where the users are stored in a MySQL DB, and due to my controller being written to forward all requests I've edited the filter mapping to 

   <filter-mapping>
    <filter-name>
       CSRFPreventionFilter
    </filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>  
   </filter-mapping>

However as per the OWASP recommendations I'm also invalidating the users session when they log in and then create a new one.

This causes the filter to kick in and I get a 403.

I've looked around but cannot find a way to get the filter to work with this strategy.

So should I abandon the filter or invalidating the session?

Graham
  • 322
  • 4
  • 17
  • Looks like you ran into a programming question, rather than a security question. Both are important and there is no technical reason why one should conflict with the other. – Jacco Nov 05 '17 at 17:26
  • Maybe a Tomcat CSRF filter question/limitation?? The tomcat CSRF protection filter stores the nonce in the session. When I do not invalidate the session when the user logs in it works correctly, – Graham Nov 05 '17 at 18:32

1 Answers1

0

Workaround is to define an additional page for a successful login

Graham
  • 322
  • 4
  • 17