HttpOnly Flag for CSRF Cookie created by CookieCsrfTokenRepository

Summary

The new CookieCsrfTokenRepository creates a new cookie in org.springframework.security.web.csrf.CookieCsrfTokenRepository.saveToken(CsrfToken, HttpServletRequest, HttpServletResponse). This cookie should be httpOnly by default- the setting should be configurable.

Actual Behavior

At the moment the cookie has no httpOnly flag.

Expected Behavior

The cookie should have the httpOnly flag by default and should be configurable when creating the CookieCsrfTokenRepository

Configuration

CookieCsrfTokenRepository csrfTokenRepository = new CookieCsrfTokenRepository();
csrfTokenRepository.setCookieName(CsfSecurityConfiguration.csrfTokenCookieName);
// proposal to configure the httpOnly flag...
csrfTokenRepository.setCookieHttpOnly(true);

http.csrf().csrfTokenRepository(csrfTokenRepository)

Version

4.1RC2

Sample

Issue Analytics

State:
Created 7 years ago
Comments:7 (6 by maintainers)

Top GitHub Comments

3reactions

rwinchcommented, Jun 28, 2016

@zauberpony Thanks for your feedback. I have replied below.

What’s the primary Use-Case of CookieCsrfTokenRepository?

There are two use-cases. The first is for users who do not want to leverage the HTTP Session for persisting the CSRF token. This is not as secure as using a session, but it may be “secure enough” for some applications.

The second use-case is for working with JavaScript frameworks like AngularJS. It so happens that most of the defaults align with AngularJS as this makes life easier for users. In 4.1.1 we even provide a static factory method to make creating it with httpOnlyFalse easier.

Thus, I would argue the “httpOnly” flag set to true is not a sane default

Due to the fact that it is not just for JavaScript frameworks & because a security framework should be secure by default, we need to keep httpOnly flag set to true.

At least an additional hint in the class-documentation

Agreed. We have already addressed this in 4.1.1 with #3865. We even created a static factory method to make life easier for users. You can find some of these changes in the SNAPSHOT version of the reference documentation

0reactions

elmarxcommented, Jun 28, 2016

Hi folks,

What’s the primary Use-Case of CookieCsrfTokenRepository? Based on https://github.com/spring-projects/spring-security/pull/3805/commits/b3192787f516211103eb5855138be9497536707b#diff-1b867fd67a4cc7cb6ac6f86b970cf5d5R381 and the description in the api-documentation I would assume it’s the go-to solution tailored specificly for AngularJS (or with some configuration other JavaScript code). Thus, I would argue the “httpOnly” flag set to true is not a sane default — since the very purpose of this CookieCsrfTokenRepository is to enable JavaScript to read the CSRF-token (via cookie).

At least an additional hint in the class-documentation would be useful, e.g.: “if you intend to use this CSRF-Configuration with JavaScript, make sure to set CookieHttpOnly to false, but be aware of security-implications”.

Top Results From Across the Web

CookieCsrfTokenRepository (spring-security-docs 6.0.0 API)

Sets secure flag of the cookie that the expected CSRF token is saved to and read from. static CookieCsrfTokenRepository. withHttpOnlyFalse().

Can't Set Spring Boot XSRF-TOKEN flag as Secure on Browser

I fix it by creating a custom CustomCookieCsrfTokenRepository that ... Sets the HttpOnly attribute on the cookie containing the CSRF token.

Does a CSRF cookie need to be HttpOnly?

The purpose of the HttpOnly flag is to make the value of the cookie unavailable from JavaScript, so that it can not be...

CookieCsrfTokenRepository#withHttpOnlyFalse :: Recipe ...

Set the setCookieHttpOnly() flag to true to avoid cookies being accessible to scripts. Cookies that are accessible to client-side scripts could be subjected ......

If HttpOnly You Could Still CSRF… Of CORS you can! - Medium

The HttpOnly flag set on our session cookie means that we are not allowed by the browser to access the cookie using JavaScript....