0

As the csrf token in spring webflux is stored in the WebSession, does that require sticky sessions to be to be turned on in a load balanced configuration?

mahanhz
  • 245
  • 1
  • 5
  • 11

1 Answers1

1

You do not necessarily need a sticky session handling on the load balancer. If you make use of Spring Session you can externalize the session storage to some central data store like Redis. In this case each node of your application can access the same session data even if requests of the same session are dispatched to different nodes.

Georg Wittberger
  • 386
  • 1
  • 7
  • You are correct. I should have expanded on my question by stating I want to avoid having to back my session with a db or redis which effectively excludes Spring Session. In that case my only recourse is to use sticky sessions. Right? – mahanhz Apr 15 '18 at 13:24
  • The only decentralized solution which is supported by Spring Session directly is Hazelcast. But there is no convenient auto-configuration to make it work for reactive WebSession. You can use a distributed Map in the session repository though: https://docs.spring.io/spring-session/docs/2.0.2.RELEASE/reference/html5/#api-reactivemapsessionrepository Nevertheless, if you really do not want central session storage and also want to avoid sticky session, you will have to outsource session state to the client (e.g. sessionStorage in the browser). – Georg Wittberger Apr 16 '18 at 13:08
  • By the way, if CSRF protection is all you want, there is a cookie-based solution which allows you to keep the server stateless: https://docs.spring.io/spring-security/site/docs/5.0.4.RELEASE/reference/htmlsingle/#csrf-cookie – Georg Wittberger Apr 16 '18 at 13:10
  • I am using webflux security and the csrfTokenRepository takes a ServerCsrfTokenRepository rather than CsrfTokenRepository. There is only a single implementation of ServerCsrfTokenRepository which is WebSessionServerCsrfTokenRepository. Anyhow I got a very helpful [answer](https://stackoverflow.com/questions/49839186/spring-webflux-session-management) to get hazelcast session replication working with spring webflux. So now I have in memory session replication which is what I was looking for all along. – mahanhz Apr 16 '18 at 15:27
  • @mahanhz for reference, there's an existing github issue on 'Request CookieServerCsrfTokenRepository for webflux.' https://github.com/spring-projects/spring-security/issues/4932 – Hartmut Jul 24 '18 at 16:29