[JAVA] When the login screen times out with spring-security, the CSRF token expires and login fails.

Phenomenon and cause

As a phenomenon, if you try to log in after opening the login screen and leaving it for a long time under the Spring Security enabled environment, even the correct ID and password will fail.

The reason for this is that the CSRF token becomes invalid due to a timeout left for a long time. The session is recreated by logging in after the timeout, and the authentication process itself succeeds, but the CSRF token sent is expired, so the login eventually fails.

Countermeasures

Periodically refresh the login page before CSRF times out. Reference: https://stackoverflow.com/questions/27501212/csrf-token-expires-during-login

<META HTTP-EQUIV="REFRESH" CONTENT="csrf_timeout_in_seconds">

The reference URL also lists other solutions.

Recommended Posts

When the login screen times out with spring-security, the CSRF token expires and login fails.
Login fails because the redirect URL of the self-login screen is incorrect in spring-security
[No.007] Organization management screen and login process to the organization
Display the list in setDetails on the screen with spring-security
Switch the display screen when hovering the tab with jQuery