Spring Security Horizontal Scaling Issue with XorCsrfTokenRequestAttributeHandler

Current Behavior

I am developing an application consisting of a Single Page Application (JavaScript) and a backend written in Java using Spring Security. I am using the Spring Security OAuth2 client and have configured support for HTTP sessions. I have also implemented session cookie protection as described here, and everything works fine.

However, I need to scale my application horizontally. The issue arises because XorCsrfTokenRequestAttributeHandler uses an instance of SecureRandom. Although it is possible to inject a SecureRandom instance into each replica, the implementation of XorCsrfTokenRequestAttributeHandler produces its own sequence of SecureRandom values. This approach will not work correctly in a horizontally scaled environment.

The only solution I have come up with is: - Use CsrfTokenRequestAttributeHandler as the handler. - Use a combination of HttpSessionCsrfTokenRepository and CookieCsrfTokenRepository as the repository, so that the CSRF token is passed to the SPA via CookieCsrfTokenRepository, and the token is verified using the values from HttpSessionCsrfTokenRepository (as the source of truth).

Expected Behavior

My question is whether there is a better Spring Security solution for this problem, and if not, I would appreciate guidance on how a sensible implementation should work. It would be helpful if such guidance could be included in the documentation.

Context JDK: 21 Spring Boot: 3.3.1

Comment From: sjohnr

Hi @jarekkar. Apologies on the late reply.

This approach will not work correctly in a horizontally scaled environment.

I don't see any supporting details. Can you please provide a minimal, reproducible sample? Perhaps in the form of a unit test that simulates the problem?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.