Spring boot security adding 2 XSRF-TOKEN in response header cookies

Asked Jan 29 '19 at 23:59

Active Jan 30 '19 at 00:29

Viewed 764 times

I am using spring boot 2.2 security and below is my Java configuration :

 http.authorizeRequests().anyRequest().authenticated()
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and().exceptionHandling().authenticationEntryPoint(authenticationFailureHandler)
                .and().exceptionHandling().accessDeniedHandler(accessDeniedHandler)
.and().httpBasic()
.and().csrf().requireCsrfProtectionMatcher(csrfRequestMatcher)
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

I see in the response header, 2 set-cookie for XSRF-TOKEN as below. Not sure why.

set-cookie: XSRF-TOKEN=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/hidden

set-cookie: XSRF-TOKEN=5564cfc1-884d-4b89-9bb9-11a92f42bcc7; Path=/hidden

What am I missing here? Relatively new to Spring security.

edited Jan 30 '19 at 00:29

asked Jan 29 '19 at 23:59

pomishra

https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1 > Servers SHOULD NOT include more than one Set-Cookie header field in > the same response with the same cookie-name. (See Section 5.3 for how > user agents handle this case.) It's indeed not RFC compliant. – QuidNovi Apr 25 '22 at 09:55

Spring boot security adding 2 XSRF-TOKEN in response header cookies

0 Answers0