java - Session timeout kills CSRF token, making subsequent remember-me workflow fail -
i have spring 4 web application, based on spring security , spring mvc. includes csrf protection, remember-me feature. relevant parts of configuration included thereafter.
<sec:http auto-config="true"> <sec:intercept-url pattern="/public/**" access="is_authenticated_anonymously" /> <sec:intercept-url pattern="/**" access="role_user" /> <sec:access-denied-handler error-page="/403" /> <sec:form-login login-page="/public/login" authentication-failure-url="/public/login?error" authentication-success-handler-ref="authenticationsuccesshandler" username-parameter="username" password-parameter="password" /> <sec:logout logout-url="/logout" logout-success-url="/public/login?logout" delete-cookies="jsessionid" /> <sec:remember-me services-ref="remembermeservices" key="***" /> <sec:csrf /> </sec:http> <bean id="securityservice" class="custom userdetailsservice" /> <bean id="authenticationsuccesslistener" class="custom applicationlistener" /> <bean id="remembermeservices" class="org.springframework.security.web.authentication.rememberme.persistenttokenbasedremembermeservices"> <property name="key" value="***" /> <property name="userdetailsservice" ref="securityservice" /> <property name="tokenrepository" ref="custom persistenttokenrepository" /> <property name="parameter" value="rememberme" /> </bean> <bean id="authenticationsuccesshandler" class="org.springframework.security.web.authentication.savedrequestawareauthenticationsuccesshandler"> <property name="targeturlparameter" value="targeturl" /> </bean>
scenario: user opens post form , starts filling it, gets phone call or whatever, session times out, invalidating csrf token, user submits form, , gets "access denied". have been testing scenario manually removing jsessionid cookie in browser (leaving spring_security_remember_me_cookie).
expectation: when session times out, remember-me kicks in, authenticating user, , request processed.
questions: given nature of csrf , remember-me, expectation reasonable, or fundamentally flawed? make sense roll out own implementation of csrftokenrepository, storing token in database rather in session? accepted approaches aforementioned scenario?
thanks in advance.
you'll need warn user session expire.
if system supports draft versions of entities, auto-save draft right before session times out.
then show dialog indicating session has timed out , need login again, or @ least click refresh. security, should redirect them login page.
<script> /* n number of seconds until session times out on server */ window.settimeout(function(){ autosavecurrentform(); showwarning(); }, n); </script>
Comments
Post a Comment