From b91e0faa08a69d9c3002cd400acd59123e8e64bf Mon Sep 17 00:00:00 2001 From: Junhyunny Date: Wed, 10 Jul 2024 21:37:39 +0900 Subject: [PATCH 1/2] Correct Explanation for HttpSessionCsrfTokenRepository --- docs/modules/ROOT/pages/servlet/exploits/csrf.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc index 3dd8e7a1806..a4aa0d8982c 100644 --- a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc +++ b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc @@ -130,7 +130,7 @@ You can also specify <> to By default, Spring Security stores the expected CSRF token in the `HttpSession` by using {security-api-url}org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.html[`HttpSessionCsrfTokenRepository`], so no additional code is necessary. -The `HttpSessionCsrfTokenRepository` reads the token from an HTTP request header named `X-CSRF-TOKEN` or the request parameter `_csrf` by default. +The `HttpSessionCsrfTokenRepository` reads the token from a session (whether in-memory, cache, or database). If you need to access the session attribute directly, please first configure the session attribute name using HttpSessionCsrfTokenRepository#setSessionAttributeName. You can specify the default configuration explicitly using the following configuration: From 8e8520b48c55074e7bd6769d08ee443a28fb04cc Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Mon, 29 Jul 2024 13:59:47 -0600 Subject: [PATCH 2/2] Polish Inline Code Formatting --- docs/modules/ROOT/pages/servlet/exploits/csrf.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc index a4aa0d8982c..645803e2967 100644 --- a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc +++ b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc @@ -130,7 +130,7 @@ You can also specify <> to By default, Spring Security stores the expected CSRF token in the `HttpSession` by using {security-api-url}org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.html[`HttpSessionCsrfTokenRepository`], so no additional code is necessary. -The `HttpSessionCsrfTokenRepository` reads the token from a session (whether in-memory, cache, or database). If you need to access the session attribute directly, please first configure the session attribute name using HttpSessionCsrfTokenRepository#setSessionAttributeName. +The `HttpSessionCsrfTokenRepository` reads the token from a session (whether in-memory, cache, or database). If you need to access the session attribute directly, please first configure the session attribute name using `HttpSessionCsrfTokenRepository#setSessionAttributeName`. You can specify the default configuration explicitly using the following configuration: