As per our security requirement, we want to reset the CSRF token when user logs off from application. The token is currently tied to bower and host.
Thanks in advance.
As per our security requirement, we want to reset the CSRF token when user logs off from application. The token is currently tied to bower and host.
Thanks in advance.
Hi,
Do you mean Web Client CSRF token?
If yes, then you could simply invalidate the entire HTTP session, for instance, using event listener bean.
import com.haulmont.cuba.web.controllers.ControllerUtils;
import com.haulmont.cuba.web.security.events.AppLoggedOutEvent;
import com.vaadin.server.Page;
import org.springframework.context.ApplicationListener;
import org.springframework.stereotype.Component;
@Component
public class AppLoggedOutEventListener implements ApplicationListener<AppLoggedOutEvent> {
@Override
public void onApplicationEvent(AppLoggedOutEvent event) {
String url = ControllerUtils.getLocationWithoutParams() + "?restartApp";
Page.getCurrent().open(url, "_self");
}
}
Vaadin uses single CSRF token per session which is stored inside of HTTP session and initialized only when session is created.
Also, you can set cuba.web.useSessionFixationProtection
application property to true
. In this case, a new session with new CSRF token will be created when user logs in.
Thanks for your support.