Reputation: 217
Spring CSRF token life
I am implementing CSRF protection using Spring security as per the doc
One question I have is: When this token will get invalidated by the Spring security? Does the token gets invalidated for each request submit?
Upvotes: 6
Views: 4877
Answers (1)
Reputation: 20135
By default the CSRF token is stored in the HTTP session and is generated on a per-session basis. See the official Spring Security documentation for more details. Therefore, the default lifecycle of CSRF tokens is the session duration.
Like everything else in Spring Security, the storage and retrieval of CSRF tokens can be customized to suit individual needs. The way to do that would involve creating an implementation for CsrfTokenRepository. Custom implementations could change the token on a per request basis, store the token in a relational database, and so on.
Upvotes: 9
Related Questions
- Which mechanism to use for CSRF token handling with spring security
- Generate and validate CSRF token on java web application
- Spring Boot CSRF
- Spring CSRF protection scenario?
- spring security get csrf token in java area
- Protecting web application from CSRF attack using Spring Security
- Spring Security and CSRF attack
- Different csrf token per request in Spring security
- CSRF: Generate token for every request
- CSRF protection in web application