What's the best-of-handle Invalid CSRF token found in the "when" session times out in Spring security

18.5.1 Timeouts

One issue is and the expected CSRF token is stored in the HttpSession, so as soon as the HttpSession expires your Configu Red would AccessDeniedHandler receive a invalidcsrftokenexception. If you are using the default AccessDeniedHandler , the browser would get an HTTP 403 and display a poor error message.

One might ask why the Expected csrftoken &nbs P;isn ' t stored in a cookies by default. This is because there was known exploits in which headers (i.e. specify the cookie) can be set by another domain. This was the same reason Ruby on Rails no longer skips CSRF checks when the header was x-requested-with. See this webappsec.org thread for details on what to perform the exploit. Another disadvantage is, and removing the state (i.e. the timeout), you lose the ability to forcibly terminate the token If it is compromised.

A simple-to-mitigate an active user experiencing a timeout was to has some JavaScript that lets the user know their SE Ssion is on to expire. The user can click a button to continue and refresh the session.

Alternatively, specifying a custom AccessDeniedHandler allows you-to-process the any InvalidCsrfTokenException -you-like. For a example the Customize the refer to the AccessDeniedHandler provided links for both XML and Java configuration.

Finally, the application can is configured to use cookiecsrftokenrepository which would not expire. As previously mentioned, this is not as secure as with using a session, but the many cases can be good enough.

https://docs.spring.io/spring-security/site/docs/4.2.3.RELEASE/reference/htmlsingle/#csrf-timeouts

What's the best-of-handle Invalid CSRF token found in the "when" session times out in Spring security

The easiest-I found to handle invalidate CSRF tokens when session times out at the login page is one of the FO Llowings:

1. Redirect the request again to the login page again VI customaccessdeniedhandler:

   Static Class Customaccessdeniedhandler Extends Accessdeniedhandlerimpl{ @Override Public voidHandle(HttpServletRequestRequest, HttpServletResponseResponse, AccessdeniedexceptionAccessdeniedexception) Throws IOException, Servletexception {If (Accessdeniedexceptioninstanceof Missingcsrftokenexception ||Accessdeniedexceptioninstanceof Invalidcsrftokenexception) { If(Request.Getrequesturi (). contains ( "login"  Response. Sendredirect (request. Getcontextpath "/login" ); }}super . handle (request, Response, Accessdeniedexception }}          

3. Add Refresh header as Neil McGuigan suggested:

<meta http-equiv="refresh" content="${pageContext.session.maxInactiveInterval}">

3. Furthermore must create a bean for the new Customaccessdeniedhandler and register it. The following example shows this for Java config.

In any config class:

@Beanpublic AccessDeniedHandler accessDeniedHandler() { return new CustomAccessDeniedHandler();}

In your security config modify the Configure method as follows:

@Overrideprotected void (final httpsecurity  Http)  throws exception { http //...  . ()  . ().  Accessdeniedhandler (accessdeniedhandler ());                /span>                

Also See here.

A more Optimum solution'll be is for Spring security to handle this situation in their framework.

https://stackoverflow.com/questions/32446903/ What-is-the-best-way-to-handle-invalid-csrf-token-found-in-the-request-when-sess

The expected CSRF token was not found. Your session has expired 403
Https://gxnotes.com/article/245164.html

Spring security–customize The 403 forbidden/access Denied Page
Http://www.baeldung.com/spring-security-custom-access-denied-page

What's the best-of-handle Invalid CSRF token found in the "when" session times out in Spring security