java - Session timeout kills CSRF token, making subsequent remember-me workflow fail -


i have spring 4 web application, based on spring security , spring mvc. includes csrf protection, remember-me feature. relevant parts of configuration included thereafter.

<sec:http auto-config="true">     <sec:intercept-url pattern="/public/**" access="is_authenticated_anonymously" />     <sec:intercept-url pattern="/**" access="role_user" />     <sec:access-denied-handler error-page="/403" />     <sec:form-login         login-page="/public/login"         authentication-failure-url="/public/login?error"         authentication-success-handler-ref="authenticationsuccesshandler"         username-parameter="username"         password-parameter="password" />     <sec:logout         logout-url="/logout"         logout-success-url="/public/login?logout"         delete-cookies="jsessionid" />     <sec:remember-me         services-ref="remembermeservices" key="***" />     <sec:csrf /> </sec:http>  <bean id="securityservice" class="custom userdetailsservice" /> <bean id="authenticationsuccesslistener" class="custom applicationlistener" /> <bean id="remembermeservices" class="org.springframework.security.web.authentication.rememberme.persistenttokenbasedremembermeservices">     <property name="key" value="***" />     <property name="userdetailsservice" ref="securityservice" />     <property name="tokenrepository" ref="custom persistenttokenrepository" />     <property name="parameter" value="rememberme" /> </bean> <bean id="authenticationsuccesshandler" class="org.springframework.security.web.authentication.savedrequestawareauthenticationsuccesshandler">     <property name="targeturlparameter" value="targeturl" /> </bean>

scenario: user opens post form , starts filling it, gets phone call or whatever, session times out, invalidating csrf token, user submits form, , gets "access denied". have been testing scenario manually removing jsessionid cookie in browser (leaving spring_security_remember_me_cookie).

expectation: when session times out, remember-me kicks in, authenticating user, , request processed.

questions: given nature of csrf , remember-me, expectation reasonable, or fundamentally flawed? make sense roll out own implementation of csrftokenrepository, storing token in database rather in session? accepted approaches aforementioned scenario?

thanks in advance.

you'll need warn user session expire.

if system supports draft versions of entities, auto-save draft right before session times out.

then show dialog indicating session has timed out , need login again, or @ least click refresh. security, should redirect them login page. 

<script>  /* n number of seconds until session times out on server */  window.settimeout(function(){    autosavecurrentform();   showwarning();  }, n);  </script>

Comments

Post a Comment

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

i'm trying create laravel 5.1 package uses twigbridge instead of .php views. can normal .php views display fine, when try make use of .twig templates i'm met error. possible use twigbridge templates when creating views laravel package or pretty stuck blade , php ? edit 1: loading twig template without extending works. it's when start using {% extends 'file' %} error comes out. i error error loading /virtual/laravel/packages/username/mypackage/src/views/sample.twig: template "templates.master" not defined () in "/virtual/laravel/packages/username/mypackage/src/views/sample.twig" @ line 1. my folders username |_ mypackage |_ src |_ controllers - samplecontroller.php |_ views |_ templates - master.twig - sample.twig twig template sample.twig {% extends 'templates.master' %} {% block content %} {{ parent()
Read more

firemonkey - How do I make a beep sound in Android using Delphi and the API? -

after having @ androidapi.jni.media.pas, coded following procedure: uses androidapi.jnibridge, androidapi.jni.media; procedure sound(aduration: integer); implementation procedure sound(aduration: integer); var volume: integer; streamtype: integer; tonetype: integer; tonegenerator: jtonegenerator; begin volume := tjtonegenerator.javaclass.max_volume; streamtype := ? tonetype := tjtonegenerator.javaclass.tone_dtmf_0; tonegenerator := tjtonegenerator.javaclass.init(streamtype, volume); tonegenerator.starttone(tonetype, aduration); end; but can't figure out how set value streamtype? thanks the stream type identify stream on beep must played. integer between 0 , 4 : stream_voice_call (0) stream_system (1) stream_ring (2) stream_music(3) stream_alarm(4)
Read more

jdbc - Not able to establish database connection in eclipse -

i want make new database connection (db2) in eclipse purpose of using jpa. in jpa perspective, in data source explorer view, when try create new db connection, receive following logs when try ping server. org.eclipse.datatools.connectivity.exceptions.dbnotstartexception: no start database command issued. errorcode = -4499, sqlstate = 08001. @ org.eclipse.datatools.enablement.ibm.db2.internal.luw.jdbcluwjdbcconnection.getconnectexception(jdbcluwjdbcconnection.java:74) @ org.eclipse.datatools.connectivity.ui.pingjob.gettestconnectionexception(pingjob.java:81) @ org.eclipse.datatools.connectivity.ui.pingjob.run(pingjob.java:63) @ org.eclipse.core.internal.jobs.worker.run(worker.java:54) caused by: com.ibm.db2.jcc.am.ro: [jcc][t4][2043][11550][4.8.87] exception java.net.connectexception: error opening socket server example.example.com/51.37.93.117 on port 50,000 message: connection timed out: connect. errorcode=-4499, sqlstate=08001 @ com.ibm.db2.jcc.am.gd.a(gd.j
Read more