Skip to content

CSRF protection should not create a HTTP session if session creation policy is set to STATELESS #5299

Open
@mvitz

Description

@mvitz

Summary

By default CSRF protection creates a HTTP session even if session creation policy is configured to be STATELESS. This should not be the case as an user expects no session to occur (within Spring Security) after specifying STATELESS.

Actual Behavior

A HTTP session is created when visiting the login page.

Expected Behavior

No HTTP session should be created.

Configuration

@Bean
public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter() {
    return new WebSecurityConfigurerAdapter() {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
             http
                 .sessionManagement().sessionCreationPolicy(STATELESS)
             .and()
                 .authorizeRequests().anyRequest().authenticated()
             .and()
                 .formLogin()
        }
    };
}

Version

5.0.4.RELEASE

Sample

A sample application (using Spring Boot 2.x) can be found at https://github.com/mvitz/spring-security-csrf-issues/tree/master/stateless-session-creation-policy

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions