Skip to content
/ spring-security-csrf-vs-sessions Public

A sandbox to test Spring Security CSRF vs Session Management behavior

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

FlasH-RUS/spring-security-csrf-vs-sessions

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
gradle/wrapper
gradle/wrapper
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
build.gradle
build.gradle
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 

Repository files navigation

Spring Security CSRF vs Session Management playground

This is a small investigation project to finally understand how does Spring Security cookie-based CSRF works with its own Session Management. The idea is to have several branches with different configurations (stateless session management, disabled session management, etc.) and see if and how the behavior changes depending on that.

Expected CSRF behavior

  • CSRF token is generated if absent (= first visit to the application)
  • CSRF token is re-generated after successful login
  • CSRF token is re-generated after successful logout
  • CSRF token is not regenerated on any other occasion

Setup

  • Spring Boot 1.5.8
  • Default security with in-memory authentication and cookie-based CSRF enabled (CookieCsrfTokenRepository)
  • Index page (/) that requires authentication
  • Functional tests (see ru.lonedeveloper.flash.demo.csrfsessions.FunctionalTest) to check the application behavior
  • CSRF tests see (see ru.lonedeveloper.flash.demo.csrfsessions.CsrfTest) to check CSRF-related behavior

About

A sandbox to test Spring Security CSRF vs Session Management behavior

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages