Vue/SpringBoot: Why does my JSESSIONID keep changing
P粉163951336
2023-08-29 19:12:16
<p>I have a vue application with Spring Boot 3.0.1 backend and I want to use CSRF. The Vue frontend and Spring Boot backend are served by different systems. I'm planning to use an nginx reverse proxy to mitigate the CORS topic, but this problem occurs whether nginx is involved or not. </p>
<p>The first thing my vue application does is request the csrf token, storing it globally so that it can be used during the user session. </p>
<p>When a user logs in, several pinia stores are initialized. But unfortunately, during these requests, the JSESSIONID cookie sent with each request is ignored by the backend and a new JSESSIONID is emitted. The JSESSIONID keeps changing while using the application and making further GET requests</p>
<p>This makes the "global" stored CSRF token of the initial JSESSIONID invalid of course...</p>
<p>"csrf" request header: </p>
<p>"Login" title: </p>
<p>Then suddenly the 5th request got a new JSESSIONID even though I sent the JSESSIONID cookie in the request (sent by the server - why?</p>
<h2>Question</h2>
<p>Why do my sessions keep changing? Shouldn't my JSESSIONID always remain the same? </p>
<p>What is the purpose of conducting CSRF? Request new token before making any (non-GET?) request? (Mine gets using "credentials: "same origin"")</p>
I have
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
in my SecurityConfig, which is causing trouble... As far as I know, removing it solves the CSRF usage. p>