Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation about CSRF and cookies is confusing #11607

Open
wujek-srujek opened this issue Jul 21, 2022 · 0 comments
Open

Documentation about CSRF and cookies is confusing #11607

wujek-srujek opened this issue Jul 21, 2022 · 0 comments
Labels
in: docs An issue in Documentation or samples type: enhancement A general enhancement

Comments

@wujek-srujek
Copy link

Reading https://docs.spring.io/spring-security/reference/features/exploits/csrf.html for 5.7.2 one can read (https://docs.spring.io/spring-security/reference/features/exploits/csrf.html#csrf-protection-stp):

...
Requiring the actual CSRF token in a cookie does not work because cookies are automatically included in the HTTP request by the browser.
...

Then, under https://docs.spring.io/spring-security/reference/features/exploits/csrf.html#csrf-considerations-timeouts one can read:

...
Finally, the expected CSRF token could be stored in a cookie. This allows the expected CSRF token to outlive the session.
...

These statements seem to be contradicting. Should the CRSF token be put into a cookie in addition to the previously recommended HTTP parameter or an HTTP header?
@wujek-srujek wujek-srujek added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jul 21, 2022
@marcusdacoregio marcusdacoregio added in: docs An issue in Documentation or samples and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 26, 2022
@goldman7911 goldman7911 mentioned this issue Mar 7, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: docs An issue in Documentation or samples type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wujek-srujek @marcusdacoregio