Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #10436

Closed
darioseidl opened this issue Oct 22, 2021 · 2 comments
Closed

MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #10436

darioseidl opened this issue Oct 22, 2021 · 2 comments
Assignees
@marcusdacoregio
Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.6.0

Comments

@darioseidl
Copy link

When using the org.springframework.security.web.csrf.CookieCsrfTokenRepository for CSRF protection, no information is stored in the HTTP session. When a org.springframework.security.web.csrf.MissingCsrfTokenException is thrown, because there was no CSRF cookie, the message is misleading and confusing at first:

org.springframework.security.web.csrf.MissingCsrfTokenException: Could not verify the provided CSRF token because your session was not found.

I was scratching my head, "which session!?".

The message is hardcoded in the MissingCsrfTokenException, the exception is thrown in org.springframework.security.web.csrf.CsrfFilter#doFilterInternal when tokenRepository.loadToken returns null.

A very simple fix would be to change the message to something akin to

"Could not verify the provided CSRF token because no token was found in the CSRF token repository."

A slightly more involved fix would create a different message for the different token repository implementations, like "because your session was not found" and "because no cookie was found" respectively, but that would require changing the CsrfTokenRepository interface to add a message getter or some other means by which the CsrfFilter can generate the appropriate message.

If you think either solution is worthwhile, I can provide a pull request.
@darioseidl darioseidl added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 22, 2021
@marcusdacoregio marcusdacoregio added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 25, 2021
@marcusdacoregio marcusdacoregio added this to the 5.6.0 milestone Oct 29, 2021
@edmundham
Copy link

Hello, is there any plan on having this in other versions? e.g. 5.5.x

@marcusdacoregio
Copy link
Contributor

marcusdacoregio commented Nov 19, 2021
edited
Loading

Hello @edmundham. Thank you for remembering me that, somehow it got lost in my notes. Will do it up to 5.2.x.

@marcusdacoregio marcusdacoregio added type: bug A general bug and removed type: enhancement A general enhancement labels Nov 19, 2021
marcusdacoregio added a commit that referenced this issue Nov 19, 2021
@marcusdacoregio
Improve log message when no CSRF token found
2bf7a5a 
Closes gh-10436
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Nov 19, 2021
Closed
marcusdacoregio added a commit that referenced this issue Nov 19, 2021
@marcusdacoregio
Improve log message when no CSRF token found
e05c9f4 
Closes gh-10436
Closed
marcusdacoregio added a commit that referenced this issue Nov 19, 2021
@marcusdacoregio
Improve log message when no CSRF token found
5a47e17 
Closes gh-10436
Closed
marcusdacoregio added a commit that referenced this issue Nov 19, 2021
@marcusdacoregio
Improve log message when no CSRF token found
01be7ec 
Closes gh-10436
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.6.0
Development

No branches or pull requests
4 participants
@darioseidl @marcusdacoregio @spring-projects-issues @edmundham