using csrfGuard without SessionTokenKeyExtractor #44
-
HI, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Hello @ACM-Unit, Could you please let me know what exactly you are trying to achieve? The If your web application is stateful and uses container sessions (JSESSIONID), then you don't need to change anything, except adding the Please see the bundled test application for an example. If your webapp is stateless (e.g. using JWTs), then you'll have to implement your own |
Beta Was this translation helpful? Give feedback.
Hello @ACM-Unit,
Could you please let me know what exactly you are trying to achieve?
The
LogicalSessionExtractor
, as the name suggests is intended to extract logical sessions from requests. It has two methods that, return aLogicalSession
interface. The default implementation for theLogicalSessionExtractor
is theSessionTokenKeyExtractor
, which uses aContainerSession
.If your web application is stateful and uses container sessions (JSESSIONID), then you don't need to change anything, except adding the
csrfguard-extension-session
dependency (see https://github.com/OWASP/www-project-csrfguard#using-with-maven), where the reference implementation is stored.Please see the bundled test app…