Spring Boot CSRF fails when handled by Load balancer

Question

I have implemented CSRF filter in spring boot by using header based token method. When I run on single server my applications works well, when I introduce another server or request that serverd by load balancer (depends on how load balancer serves request) it fails to validate the token given by the other server.

Can anyone here tell me that how can we create token for CSRF based on particular key which will be same for all server and every server will access that same key to identify the user, or some other way to share CSRF token within different server.

Answer 1

There are two ways you can workaround this issue:

1. Configure your load balancer to use/work with sticky sessions. For example if you are using Nginx as a load balancer you can explore below links:

   • http://nginx.org/en/docs/http/load_balancing.html
   • https://aggarwalarpit.wordpress.com/2015/11/12/sticky-session-load-balancer-with-nginx/

2. If you do not want to use sticky sessions, then you can use Spring Session, as by default the CSRF token is stored inside the HTTP session.

   Hence you need to have the HTTP session replicated over. You can do this using Spring Session.

   Refer below links:

   • https://docs.spring.io/spring-session/reference/
   • https://blog.jayway.com/2015/05/31/scaling-out-with-sprin g-session/
   
   You will need to have a Redis server installed.If not already installed you can follow below steps:

   Redis

   Download and install Redis. For example if you are using OS X you can use Brew, e.g.

    $ brew install redis  
   

(If you use Linux, you can use yum or apt-get. Alternatively, read the Quick Start Guide.)

 Start Redis by calling the redis-server command, e.g. if you use Brew on OS X:

    $ redis-server /usr/local/etc/redis.conf

 [...]

 Port: 6379

 [...]

 Server started, Redis version 3.0.1

 [...]