We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ATM the CSRF filter only sets a CSRF cookie for safe methods (like GET) if it does not exist, but it never refreshes it.
GET
So, for example, what can happen, since the cookie expires after 10 minutes, is the following:
We should refresh the CSRF cookie on every request, safe or even POST. This has been reported by several users independently.
The text was updated successfully, but these errors were encountered:
/cc @pedroigor (bearer-token), @sberyozkin (bearer-token,jwt,security)
Sorry, something went wrong.
Thanks @FroMage It looks like what I experienced 👍
@FroMage @ia3andy Do you mean that when the cookie has arrived and verified, it is then removed, and created again with the same value ?
Same value, and expired date renewed for X more time.
sberyozkin
Successfully merging a pull request may close this issue.
Describe the bug
ATM the CSRF filter only sets a CSRF cookie for safe methods (like
GET
) if it does not exist, but it never refreshes it.So, for example, what can happen, since the cookie expires after 10 minutes, is the following:
We should refresh the CSRF cookie on every request, safe or even POST. This has been reported by several users independently.
The text was updated successfully, but these errors were encountered: