Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-2422

Session timeout not detected when enable CSRF protection

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.2.0.RC2
    • Fix Version/s: 3.2.0
    • Component/s: Web
    • Labels:
      None

      Description

      settings is following:

          <sec:http auto-config="true" use-expressions="true">
              <sec:session-management 
                  invalid-session-url="/error/sessionError"
                  session-authentication-strategy-ref="sessionAuthenticationStrategy" />
          </sec:http>
      

      Detected the session time-out when called GET method, but not detected session time-out when called POST method.
      When called POST method, occurred the CSRF token error.

      This behavior are best practice in the spring security?

      Also When called POST method, i wanted to detect the session time-out.
      If wanted to detect the session timeout when called POST method, what should I do?

        Attachments

          Activity

            People

            Assignee:
            rwinch Rob Winch
            Reporter:
            kazukishimizu Kazuki Shimizu
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: