CODEWITHSUNDEEP
javaspringsessionspring-securitysession-fixation
FreezY
FreezY

Reputation: 1671

Expected CSRF token not found. Has your session expired?

I have research in SE about this issues and not found the answer to resolve the problem occur.

From my problem of view, every time I logout the session in web and open the new tab, this error always trigger . I think the session management not allow the csrf token to be exposed in another tab in browser.

When I trace the JSESSIONID in chrome cookies console,it shows that no response given compared to normal successful login which give response of JSESSIONID.

This is my login page form:

<form name='loginForm' action="<c:url value='/login' />" method="post">
        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
        <div id="username_input">
            <div id="username_inputleft"></div>
            <div id="username_inputmiddle">                 
                <input type="text" name="username" id="url" placeholder="<spring:message code="login.name" />" >
                <img id="url_user" src="<c:url value="/resources/images/login/mailicon.png"/>" alt="">              
            </div>
            <div id="username_inputright"></div>
        </div>
        <div id="password_input">
            <div id="password_inputleft"></div>
            <div id="password_inputmiddle">                 
                <input type="password" name="password" id="url" placeholder="<spring:message code="login.password" />" >
                <img id="url_password" src="<c:url value="/resources/images/login/passicon.png"/>" alt="">              
            </div>
            <div id="password_inputright"></div>
        </div>
        <div id="submit">               
            <input type="image" src="<c:url value="/resources/images/login/submit_hover.png"/>" id="submit1"  value="Sign In" />                
            <input type="image" src="<c:url value="/resources/images/login/submit.png"/>" id="submit2"  value="Sign In"/>               
        </div>          
        </form>

I think the problem was from session management in my security configuration here:

.sessionManagement()
        .sessionFixation()
        .newSession()
        .maximumSessions( 1 );

but somehow I cannot solve the problem. I hope someone can help.

Update:

I logout by using this link:

<a href="<c:url value="/logout" />">
 <spring:url value="/resources/images/logout.jpg" var="logoutimg" />
 <img src="${logoutimg}">
 <spring:url value="/resources/images/logout_txt.jpg" var="logouttxtimg" />
 <img class="hidden-xs" src="${logouttxtimg}" />
</a>

Upvotes: 1

Views: 4458

Answers (2)

tlili_souf
tlili_souf

Reputation: 11

Try this in your controller 

@RequestMapping("/Logout")
public ModelAndView processLogout(HttpServletRequest request, HttpServletResponse response) {
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != null) {
        new SecurityContextLogoutHandler().logout(request, response, auth);
    }
    mv = new ModelAndView();
    mv.setViewName("Login");
    return mv;
}

And in your login page insert 

<input type="hidden" name="${_csrf.parameterName}"
                    value="${_csrf.token}" />

Don't forget to add this to your security configuration 

<security:logout delete-cookies="JSESSIONID"
        logout-success-url='/login?logout' logout-url="/Logout"
        invalidate-session="true" />

Upvotes: 0

FreezY
FreezY

Reputation: 1671

For some reason, we need to use the /logout or /j_spring_security_logout to log the current user out. If we use another method to logout programmatically, the logout process will not complete unless I using the url provided. Thanks for help. If someone come out with the solution to logout programmtically completely without affecting the spring security, please tell me then. Thanks

Upvotes: 0

Related Questions