cancel
Showing results for 
Search instead for 
Did you mean: 

CSRF token not changing per request

manickarajm
Explorer
0 Kudos

Hi experts,

One of security aspect that the CSRF Token should be changed per request so that no one can forgery or frame any form details.

However the OOTB CSRFTokenManager does a check for session's CSRF token vs per request CSRF Token to be same. This makes it like once CSRF Token created it never changes for that session.

 synchronized (session)
         {
             token = (String) session.getAttribute(CSRF_TOKEN_FOR_SESSION_ATTR_NAME);
             if (null == token)
             {
                 token = UUID.randomUUID().toString();
                 session.setAttribute(CSRF_TOKEN_FOR_SESSION_ATTR_NAME, token);
             }
         }

Any idea we can change this and not impacting the product storefront behavior?

Thanks, k

Accepted Solutions (1)

Accepted Solutions (1)

andyfletcher
Active Contributor
0 Kudos

I think this post sums it up quite succinctly.

It brings almost zero security advantage, and it costs you in terms of usability

https://security.stackexchange.com/questions/22903/why-refresh-csrf-token-per-form-request

manickarajm
Explorer
0 Kudos

Thanks for the reply. I think it makes sense to consider during login only as per the post

Thanks, k

Answers (0)