When using the org.springframework.security.web.csrf.CookieCsrfTokenRepository for CSRF protection, no information is stored in the HTTP session. When a org.springframework.security.web.csrf.MissingCsrfTokenException is thrown, because there was no CSRF cookie, the message is misleading and confusing at first:
org.springframework.security.web.csrf.MissingCsrfTokenException: Could not verify the provided CSRF token because your session was not found.
I was scratching my head, "which session!?".
The message is hardcoded in the MissingCsrfTokenException, the exception is thrown in org.springframework.security.web.csrf.CsrfFilter#doFilterInternal when tokenRepository.loadToken returns null.
A very simple fix would be to change the message to something akin to
"Could not verify the provided CSRF token because no token was found in the CSRF token repository."
A slightly more involved fix would create a different message for the different token repository implementations, like "because your session was not found" and "because no cookie was found" respectively, but that would require changing the CsrfTokenRepository interface to add a message getter or some other means by which the CsrfFilter can generate the appropriate message.
If you think either solution is worthwhile, I can provide a pull request.
Comment From: edmundham
Hello, is there any plan on having this in other versions? e.g. 5.5.x
Comment From: marcusdacoregio
Hello @edmundham. Thank you for remembering me that, somehow it got lost in my notes. Will do it up to 5.2.x.