With stateless enabled, Spring Security still uses sessions for CSRF

Question

With stateless enabled, Spring Security still uses sessions for CSRF

platosha opened this issue 3 years ago · 2 comments

As a developer, I want to use stateless authentication in my app based on Fusion and Spring Security, so that it does not rely on server-side sessions.

Steps in a V22 Fusion / Spring Security application:

Following the docs, use setStatelessAuthentication to enable stateless authentication
Start the dev server, open in the browser and log in
Restart the server without reloading the browser page
After the restart, make an endpoint call from the browser

Expected:

The endpoint call resolves.

Actual:

The endpoint call rejects, there is an Invalid CSRF token error in CsrfFilter on the server side visible in spring security debug logs.

Answer 1 · 2021-10-12T11:14:35.000Z

Let us make sure using tests that the session does not exist on the server when endpoints are called.

Answer 2 · 2021-10-18T05:25:35.000Z

This ticket/PR has been released with platform 22.0.0.alpha8 and is also targeting the upcoming stable 22.0.0 version.