CsrfRequestDataValueProcessor triggers session creation when response is committed #3906
Description
Summary
CsrfRequestDataValueProcessor takes care of adding a hidden form input field with the CSRF token value for POST forms. This is done in the getExtraHiddenFields() method. When there is no active session (i.e. anonymous user), this triggers a session creation. If some output has already been written to the response (i.e. it's "committed") prior to this and cookies are used to store the session id, this exception occurs:
java.lang.IllegalStateException: Cannot create a session after the response has been committed
Actual Behavior
In Thymeleaf (3), this can occur: (see thymeleaf/thymeleaf-spring#110) in certain conditions:
- Writing 16kb before the form (buffer size with Spring Boot embedded Tomcat)
- Thymeleaf's inline serializing uses Jackson. Jackson flushes its buffer after serialization.
I have no experience with JSP, but a quick search suggests that flushing output before the whole page is processed is also possible.
I expect other view renderers using CsrfRequestDataValueProcessor can also exhibit this kind of behavior.
Requesting a CSRF token when rendering a form while no session is active is probably a common case when GETting login forms.
Workaround
The obvious workaround is to make sure a session is created for any page containing a form which can be accessed anonymously.
Expected Behavior
I haven't been able (yet) to find anything better than my current workaround to solve this issue. Hopefully someone will have a better idea how to solve this.
Version
Spring Boot 1.3.5 with Thymeleaf 3