1

I'm new to vaadin and I want to implement a csrf token protection , I found that vaadin already inject csrf token in requests but the problem is that the csrf token is the same in each request , is their any configuration in vaadin to generate new token in each request? or is their any way to force vaadin to regenerate a csrf token when new session is created?

I used the following code to solve session fixation vulnerability but the problem is the csrf token remain the same of the previous session token; because the reinitializeSession method creates a new session with the same contents with new jsessionID

VaadinService.reinitializeSession()
Haneen Jabr
  • 11
  • 1

1 Answers1

0

There's current a pull request open for adding that kind of functionality: https://github.com/vaadin/framework/pull/10953.

Leif Åstrand
  • 7,820
  • 13
  • 19
  • Thank you for your answer, I just checked the link and I think it's not related to my question, if you can give more details ! – Haneen Jabr Jun 13 '18 at 12:20
  • 1
    That's all there is. The problem with changing the per-session token on the fly is that the user might have the application open in multiple browser tabs at the same time, thus sharing the same `VaadinSession` and token. If the token stored in the session is changed by an action in one of the tabs, the application state in the other tabs will not be aware of that change and would therefore fail with quite weird errors messages the next time the user tries to do anything with them. – Leif Åstrand Jun 14 '18 at 04:08
  • is the committed code in open pull request solve this problem? – Haneen Jabr Jun 14 '18 at 06:55
  • The approach in the pull request works slightly better (but it's still not perfect) since it's based on a cookie that is automatically discovered by all open applications. – Leif Åstrand Jun 14 '18 at 07:05
  • is there any way to force vaadin to generate a new csrf token when new session is created? I use this VaadinService.reinitializeSession() to create new session after user login but the problem is the csrf token remain the same of the previous session token; because the reinitializeSession method creates a new session with the same old session contents but with new jsessionID – Haneen Jabr Jun 14 '18 at 07:15
  • There is no such functionality today, and a naive implementation would have serious problems with multiple browser tabs. To be able to support that kind of functionality, it would probably be necessary to redesign the functionality so that each UI instance has a separate token instead of doing it for the entire `VaadinSession`. – Leif Åstrand Jun 14 '18 at 10:09
  • > is there any way to force vaadin to generate a new csrf token when new session is created? Just note, a new token is created when new VaadinSession object is created via normal process: https://github.com/vaadin/framework/blob/master/server/src/main/java/com/vaadin/server/VaadinSession.java#L745 – Tatu Lund Jun 15 '18 at 05:12
  • @TatuLund Thanks for replay I have added the following code to create a new vaadin Session which should create a new csrf token, after that I tried to set the created session as user new session but it does not take the new session although i get a new csrf token when I print it on the console System.out.println(vaadinSession.getCsrfToken()); here is the code that i used: VaadinSession vaadinSession = new VaadinSession(VaadinService.getCurrent()); VaadinSession.setCurrent(vaadinSession); – Haneen Jabr Jun 19 '18 at 14:21