Showing results for 
Search instead for 
Did you mean: 

CSRF tokens are not unique for two different users

0 Kudos


We are developing a B2B site using the Hybris Version

Security verification team raised an concern that the CSRF tokens are not getting regenerated for different users and is remaining the same. User 1 logs in has Token 1 and log out. User 2 logs in and has the same Token 1. I think they might have used the same browser window.

Is this really an issue as Token is random generated and the validation of the token is done by the CSRFHandlerInterceptor.

In Our Codebase we have the default values on the "csrf.allowed.url.patterns" and also the spring-mvc-config.xml the bean properties are not commented out as directed in the help documentation.

Please let know so that i can provide some valid explanation to the security team.

Accepted Solutions (0)

Answers (0)