Can we reset the Cross-Site Request Forgery (CSRF) token on log off?

As per our security requirement, we want to reset the CSRF token when user logs off from application. The token is currently tied to bower and host.

Thanks in advance.

Hi,

Do you mean Web Client CSRF token?

If yes, then you could simply invalidate the entire HTTP session, for instance, using event listener bean.

import com.haulmont.cuba.web.controllers.ControllerUtils;
import com.haulmont.cuba.web.security.events.AppLoggedOutEvent;
import com.vaadin.server.Page;
import org.springframework.context.ApplicationListener;
import org.springframework.stereotype.Component;

@Component
public class AppLoggedOutEventListener implements ApplicationListener<AppLoggedOutEvent> {
    @Override
    public void onApplicationEvent(AppLoggedOutEvent event) {
        String url = ControllerUtils.getLocationWithoutParams() + "?restartApp";
        Page.getCurrent().open(url, "_self");
    }
}

Vaadin uses single CSRF token per session which is stored inside of HTTP session and initialized only when session is created.

Also, you can set cuba.web.useSessionFixationProtection application property to true. In this case, a new session with new CSRF token will be created when user logs in.

1 Like

Thanks for your support.