Search code examples
javaspringsessionspring-securitysession-fixation

Expected CSRF token not found. Has your session expired?

I have research in SE about this issues and not found the answer to resolve the problem occur.

From my problem of view, every time I logout the session in web and open the new tab, this error always trigger . I think the session management not allow the csrf token to be exposed in another tab in browser.

When I trace the JSESSIONID in chrome cookies console,it shows that no response given compared to normal successful login which give response of JSESSIONID.

This is my login page form:

<form name='loginForm' action="<c:url value='/login' />" method="post">
        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
        <div id="username_input">
            <div id="username_inputleft"></div>
            <div id="username_inputmiddle">                 
                <input type="text" name="username" id="url" placeholder="<spring:message code="login.name" />" >
                <img id="url_user" src="<c:url value="/resources/images/login/mailicon.png"/>" alt="">              
            </div>
            <div id="username_inputright"></div>
        </div>
        <div id="password_input">
            <div id="password_inputleft"></div>
            <div id="password_inputmiddle">                 
                <input type="password" name="password" id="url" placeholder="<spring:message code="login.password" />" >
                <img id="url_password" src="<c:url value="/resources/images/login/passicon.png"/>" alt="">              
            </div>
            <div id="password_inputright"></div>
        </div>
        <div id="submit">               
            <input type="image" src="<c:url value="/resources/images/login/submit_hover.png"/>" id="submit1"  value="Sign In" />                
            <input type="image" src="<c:url value="/resources/images/login/submit.png"/>" id="submit2"  value="Sign In"/>               
        </div>          
        </form>

I think the problem was from session management in my security configuration here:

.sessionManagement()
        .sessionFixation()
        .newSession()
        .maximumSessions( 1 );

but somehow I cannot solve the problem. I hope someone can help.

Update:

I logout by using this link:

<a href="<c:url value="/logout" />">
 <spring:url value="/resources/images/logout.jpg" var="logoutimg" />
 <img src="${logoutimg}">
 <spring:url value="/resources/images/logout_txt.jpg" var="logouttxtimg" />
 <img class="hidden-xs" src="${logouttxtimg}" />
</a>
Solution

  • For some reason, we need to use the /logout or /j_spring_security_logout to log the current user out. If we use another method to logout programmatically, the logout process will not complete unless I using the url provided. Thanks for help. If someone come out with the solution to logout programmtically completely without affecting the spring security, please tell me then. Thanks