CSRF令牌在登录期间到期 [英] CSRF token expires during login

问题描述

我正在使用Spring Web应用程序，因此需要避免登录页面上的过期csrf令牌出现问题，因为如果用户等待时间太长，并且尝试登录仅是解决csrf问题的一种方法，那就是重新加载页面并尝试重新登录.但这不是用户友好的，我想避免这种情况.

I'm working on Spring web application and I need to avoid problem with expire csrf token on login page, because if user is waiting too long and try to login only one way to resolve problem with csrf is to reload page and try to login again. But it's not user friendly and I want to avoid this situation.

第一个问题:总体上可以(通过Spring Security 3.2.4)吗?不禁用csrf.

First question: Is it possible in general(by spring security 3.2.4)? Without disable csrf.

我尝试使用security ="none"来登录页面并使用spring seciruty"login_check"，但是它不起作用，出现了无限重定向，或者我收到错误消息，指出网址"myhost/login_check"没有映射.

I tried to use security="none" for login page and spring seciruty "login_check", but it's not working, i got infinity redirect or I got error that no mapping for url "myhost/login_check".

第二个问题:我该怎么办?

Second question: How can i do it?

推荐答案

推荐的解决方案

我会说您不应该在生产站点上禁用csrf令牌.您可以使会话(并因此使csrf令牌)的持续时间更长(但通常不应持续超过一天，尤其是对于未登录的用户，因为它是DOS向量)，但是真正的解决方案可能是自动刷新csrf令牌到期时的登录页面.您可以使用

Recommended solution

I would say that you should not disable csrf tokens on a production site. You may make session (and thus the csrf token) last longer (but it usually should not last longer than a day, especially for not-logged-in users as it is a DOS vector), but the real solution may be to automatically refresh the login page when the csrf token expires. You may use a

<META HTTP-EQUIV="REFRESH" CONTENT="csrf_timeout_in_seconds">

登录页面标题中的

.如果用户让登录页面坐了几个小时，就不会打扰他刷新页面.

in your login page header. If the user lets the login page sit for hours, it should not bother him that the page got refreshed.

一种可能不需要您实际存储会话但允许无限超时的解决方案是，您可以使用会话ID和服务器端机密进行散列来生成csrf令牌:

A possible solution which does not require you to actually store sessions but allows for infinite timeout is that you can generate your csrf tokens with hashing from the session id and a server-side secret:

csrf = hash(sessionid+secret)

但是请注意，您需要真正挖掘和覆盖spring-security内部机制，即:

Note however that you need to really dig and override spring-security internal mechanisms, namely:

• 如果请求到达并且不存在这样的会话，则立即重新创建匿名会话
• 通过会话ID快速创建csrf令牌

并选择一种非常安全的哈希算法，最好是sha-512.

And choose a very secure hashing algorithm, preferably sha-512.

您可能有一个小的javascript，可以定期(在会话超时之前)调用服务器上的无操作页面，从而扩展了会话.仅当浏览器一直处于打开状态时，这才会导致无限的会话超时，因此可以缓解DOS方面的问题.

You could have a small javascript that calls a no-op page on your server regularly (just before the session timeout), thus extending your session. This results in infinite session timeout only if the browser is on all the time, so the DOS aspect is mitigated.

您可以更改CSRF令牌检查代码，并在登录页面上将其禁用.这实际上是第二种解决方案的代名词，但特定于登录页面，而不是所有匿名会话的通用对象.

You can alter the CSRF token checking code, and disable it for the login page. This is actually synonymous with the second solution, but is specific for the login page, not generally for all anonymous sessions.

您可以执行此操作，例如通过在HttpSecurity中设置自定义RequestMatcher:

You can do this e.g. by setting a custom RequestMatcher in HttpSecurity:

http.csrf().requireCsrfProtectionMatcher(new MyCsrfRequestMatcher());
...
class MyCsrfRequestMatcher implements RequestMatcher {
    @Override
    public boolean matches(HttpServletRequest request) {
        return !request.getServletPath().equals("/login");
    }
}

这篇关于CSRF令牌在登录期间到期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！