Spring Boot 3.0.4 does not set XSRF-TOKEN into response cookie

I’m trying to set token into every response, but can’t do that. According to Spring boot documentation this should set token into cookie

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

    http
        // ...
        .csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()))
    return http.build();
}

My code is and no token in response cookie:

 @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        CookieServerCsrfTokenRepository repository = CookieServerCsrfTokenRepository.withHttpOnlyFalse();

        http
            .oauth2Login(oauth2 -> oauth2
                    //....failure handler)
            .csrf((csrf) -> csrf
                        .csrfTokenRepository(repository))
            .authorizeExchange(exchanges -> exchanges
                //...another pathMatchers
                .pathMatchers("/").permitAll()
                .anyExchange().authenticated()
            )
            .headers().frameOptions().mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN)
            .and()
            .cors()
            .and()
            .logout()
            .logoutHandler(logoutHandler())
            .logoutSuccessHandler(oidcLogoutSuccessHandler(this.postLogoutRedirectUri))
            .and()
            .exceptionHandling().authenticationEntryPoint(....);
        return http.build();
    }

if filter is added like so:

public class CsrfHelperFilter implements WebFilter {
    @Override
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
        String key = CsrfToken.class.getName();
        Mono<CsrfToken> csrfToken = null != exchange.getAttribute(key) ? exchange.getAttribute(key) : Mono.empty();
        return csrfToken.doOnSuccess(token -> {
            ResponseCookie cookie = ResponseCookie.from("XSRF-TOKEN", token.getToken()).maxAge(Duration.ofHours(1))
                    .httpOnly(false).path("/").build();
            exchange.getResponse().getCookies().add("XSRF-TOKEN", cookie);
        }).then(chain.filter(exchange));
    }
}

then token is in cookie but it’s to many characters (4936) and I get error in browser

Set-Cookie header is ignored in response from url: https://url... The combined size of the name and value must be less than or equal to 4096 characters.

If I use same filter and .csrf() with no params then token is set and GET is working, but POST is giving me 403 and ‘Invalid CSRF Token’

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.