Spring Security Form Authentication: How are sessions tracked?

Question

I'm using form authentication on Spring Security. So I go to my login form, enter my username and password, and then I have access to the protected resources on my site. Unlike basic authentication, with form authentication, the username and password is only sent on the first request.

What I don't understand is how does the Spring Security Servlet keep track of who the end user is after on subsequent requests?

I understand that with basic-authentication, the Servlet can just look up the encoded username & password in the header. But how does this work with form authentication?

I'm assuming some sort of session variable is set? If so, what is it?

Does Spring Security have some sort of temporary database linking session ids to usernames? Most importantly, if I don't use a CSRF token, would all an attacker need to do is know this session variable to impersonate the user?

Answer 1

Upon authentication, Spring Security adds a session attribute called SPRING_SECURITY_CONTEXT.

This session attribute is stored in server memory and is associated with your browser via the JSESSIONID cookie.

It holds an instance of SecurityContextImpl, which includes a UsernamePasswordAuthenticationToken, which holds the username.

Does Spring security have some sort of temporary database linking session ids to usernames?

Yes, in-so-far as server-side session acts like a database. On each request, the server will look up your session attributes based on the value of the JSESSIONID cookie.

If I don't use a CSRF token, would all an attacker need to do is know this session variable to impersonate the user?

Without CSRF protection, an attacker can impersonate the user by getting them to use their site and make requests (via JS or flash or what-not) to your site.

Your site is equally vulnerable to CSRF if using HTTP Basic Authentication too.

Always use CSRF protection on any important forms on your site. Why would you not?