Skip to content

With stateless enabled, Spring Security still uses sessions for CSRF #918

New issue
New issue
Closed
#919
Closed
With stateless enabled, Spring Security still uses sessions for CSRF#918
#919
Assignees
platosha
Labels
Impact: LowReleased with Platform 22.0.0.alpha8Severity: MajorbugfusionChanges required for fusionprerelease version for platform 22.0.0
@platosha

Description

@platosha
platosha
opened on Oct 12, 2021

As a developer, I want to use stateless authentication in my app based on Fusion and Spring Security, so that it does not rely on server-side sessions.

Steps in a V22 Fusion / Spring Security application:

  • Following the docs, use setStatelessAuthentication to enable stateless authentication
  • Start the dev server, open in the browser and log in
  • Restart the server without reloading the browser page
  • After the restart, make an endpoint call from the browser

Expected:

The endpoint call resolves.

Actual:

The endpoint call rejects, there is an Invalid CSRF token error in CsrfFilter on the server side visible in spring security debug logs.

Metadata

Metadata

Assignees

Labels

Impact: LowReleased with Platform 22.0.0.alpha8Severity: MajorbugfusionChanges required for fusionprerelease version for platform 22.0.0

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions