Secure flag of CookieCsrfTokenRepository cookie #5414
Comments
|
Rob - it doesn't appear to me that the fix is indeed for this issue. How does the change to "ServerHttpBasicAuthenticationConverter" enhance the "CookieCsrfTokenRepository"? |
|
The commit looks meant to close #5614 , not this one. |
|
@izeye, Indeed this issue was closed with the wrong commit I guess. I'm in desperate need of configurable secure flag for the exact same reason @Juan-Bustamante has mentioned above. |
|
@rwinch do you close this issue intentionally or by accident? Should we report a new issue with same content? |
|
@zcwang3 Thanks for pointing that out. It appears that the commit reference the wrong issue. I have reopened this ticket. |
spring-projects-issues
added
the
status: waiting-for-triage
rwinch
added
status: duplicate
|
Closing in favour of gh-8749 |
Summary
Can we please allow for configuring the desired value of the "secure" flag for the XSRF-TOKEN cookie created by CookieCsrfTokenRepository?
Actual Behavior
The flag is always set based on the "isSecure" flag on the Http request:
cookie.setSecure(request.isSecure());
Expected Behavior
While using the request's "isSecure" flag is a reasonable default, when webapps sit behind firewalls, sometimes the firewall does the SSL, and the traffic between the firewall and the app is plain HTTP (not HTTPS). In this case the "isSecure" flag on the request is always false, but we still want th XSRF-TOKEN cookie to be secure (the firewall forwards all cookies to the app, and the browser sends the secure cookie to the firewall).
It would be nice if we could configure the desired value for the secure flag of the cookie, just like we can configure the value for the httpOnly flag of the cookie.
Configuration
Version
I'm currently on 4.2.6.RELEASE
Sample
The text was updated successfully, but these errors were encountered: