TokenName not sent in requestHeader.

[prasjeku]

I have incorporated CSRFguard in my application which is spring based. When I debug the application after including filters in web.xml. I am seeing that the tokenname is being passed as null in the application. What am i doing wrong? I do see the mastertoken and the logicalsessionKey values when i debug the code.

The code is failing in line 231 in TokenService.java file.

Since its not able to get the token name from the request its throwing and exception and showing the error page saying "You don’t have permission to access the page!"

I see these in the logs
2023-12-07 09:56:09 ERROR Log:73 - Potential cross-site request forgery (CSRF) attack thwarted (user:, ip:0:0:0:0:0:0:0:1, method:POST, uri:/admin/login, error:Required Token is missing from the Request)
2023-12-07 09:56:09 WARN CsrfGuardFilter:143 - Invalid request: URI: '/admin/login' | Remote Address: '0:0:0:0:0:0:0:1'
2023-12-07 09:58:58 ERROR Log:73 - Potential cross-site request forgery (CSRF) attack thwarted (user:, ip:0:0:0:0:0:0:0:1, method:POST, uri:/admin/login, error:Required Token is missing from the Request)
2023-12-07 09:58:58 WARN CsrfGuardFilter:143 - Invalid request: URI: '/admin/login' | Remote Address: '0:0:0:0:0:0:0:1'

I am not able to figure out why the token name is missing from the request. Since its a login jsp page I don't need to explicitly add any tags in the page.

[forgedhallpass]

Hello @prasjeku,

It is hard to figure out what the problem may be, because you haven't provided enough information.

What I would recommend is to check out the test application in the repository which comes with sample configurations for stateful JSP applications. If you are you using JSPs you need to add in the relevant Maven dependency (csrfguard-jsp-tags), and then use the relevant tags in your pages. For the JavaScript approach, the csrfguard.js script needs to be loaded on every page you have, and of course your CSRFGuard configurations needs to be present and accessible by the solution.