In a project conducted as a Springboot class, I was assign to make Session Login code. This project just require a simple CRUD with theme like bookstore, checkList and blog etc.. So I worked on the project with light heart, but I had a problem solving the error code for 10 hours.. Let me explain about session first!
Session
: It is temporary connection between a client and a server that allows the server to remember the client's state across multiple requests.
It ensures that the interation feels continuous, even though HTTP itself is stateless.(The server treats every request as new without remembering anyting about the client)
Session ID: A unique ID for each session created by the server. It is usually stored in a cookie on the client's browser.
Lifecycle: A session starts when a user connects to the server(ex) login) and ends when they logout, the session times out, or the sever terminates it.
If I use session when making login,
- user connects to the server
- publish SessionID
- stock in a cookie
- every subsequent request, the browser automatically includes the sessionID stored in the cookie
- the server checks the sessionID against its session storage to confirm the user is authenticated and retreieves the associated user data.
excute the corresponding logic based on whether the session ID is valid.
If the user logout or remains inactive for too long, the session expires.
Problem Solving
When I look a log, I realized that the request was not coming to the desired controller of the url due to SecurityConfig.
CSRF(Cross-Site Request Forgery) :
It is security issue where a malicious site tricks a logged-in user in making unauthorized requests to another trusted site.
- Why API Requests Fail Without CSRF Token
Spring Security expects the CSRF token to be sent with state-changing HTTP methods (ex) POST, PUT..). If the token is missing, the server rejects the request with 403 Forbidden
- Why SSR View Requests Work Fine
In SSR (Server-Side Rendering), CSRF tokens are automatically included in HTML forms or cookies. When users submit a form, the token is sent with the request, allowing it to pass CSRF validation.
Since GET requests for HTML views are typically non-state-chainging, they don't require CSRF tokens.
- Issue with Postman API Requests
When testing with Postman, the API request may not include the CSRF token. Since Postman doesn't automatically handle CSRF tokens like a browser does.
This is why the request didn't map correctly..ㅜ.ㅜ
Fortunately, I found the error on my own and fixed it! It was valuable experience as I realized the shortcomings of relying only on JWT token based login.
Top comments (0)