Class SessionCsrfTokenManager

java.lang.Object
org.codelibs.fess.api.v2.SessionCsrfTokenManager

public class SessionCsrfTokenManager extends Object
Helper that issues, verifies, and rotates per-session CSRF tokens.

Tokens are 256-bit random strings encoded with the URL-safe Base64 alphabet (no padding) and stored under SESSION_ATTR on the HttpSession. The verification path uses a constant-time string comparison to avoid timing side-channels.

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    Session attribute name under which the CSRF token is stored.
  • Constructor Summary

    Constructors
    Constructor
    Description
    Default constructor used by the DI container.
  • Method Summary

    Modifier and Type
    Method
    Description
    issue(jakarta.servlet.http.HttpSession session)
    Returns the token bound to session, creating one if absent.
    rotate(jakarta.servlet.http.HttpSession session)
    Rotates the session's CSRF token: invalidates any existing token and issues a fresh one in a single atomic call from the session's perspective.
    boolean
    verify(jakarta.servlet.http.HttpSession session, String provided)
    Verifies that provided matches the token bound to session.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Field Details

    • SESSION_ATTR

      public static final String SESSION_ATTR
      Session attribute name under which the CSRF token is stored.
      See Also:
  • Constructor Details

    • SessionCsrfTokenManager

      public SessionCsrfTokenManager()
      Default constructor used by the DI container.
  • Method Details

    • issue

      public String issue(jakarta.servlet.http.HttpSession session)
      Returns the token bound to session, creating one if absent.
      Parameters:
      session - the HTTP session to read or update
      Returns:
      the existing or newly issued token
    • verify

      public boolean verify(jakarta.servlet.http.HttpSession session, String provided)
      Verifies that provided matches the token bound to session.
      Parameters:
      session - the HTTP session holding the stored token
      provided - the candidate token to validate (typically from a request header or form field)
      Returns:
      true when both tokens are non-empty and equal in constant time
    • rotate

      public String rotate(jakarta.servlet.http.HttpSession session)
      Rotates the session's CSRF token: invalidates any existing token and issues a fresh one in a single atomic call from the session's perspective.

      Callers that previously paired rotate(); issue(); will continue to work correctly because the second issue(HttpSession) call is idempotent — it returns the token already set by this method.

      Parameters:
      session - the HTTP session to rotate the token in
      Returns:
      the newly issued token, or null if session is null