Difference between 3.1.0 and 4.1.0 with respect to where the token is saved in the container #51
-
|
In 3.1.0, the token was saved as a session attribute while we see that it is stored in InMemoryTokenHolder. Is that the case always or will it ever be written to session? With 3.1.0, we depended on the value stored in the session to apply some business logic. It looks like the token is no more stored in the session as a result, we need to refactor our logic a bit during the upgrade. Even withe the @forgedhallpass Please confirm. Thank you in advance. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hello @deepak229,
Starting from version Saving the tokens to the session is not possible anymore, because it would create a tight coupling with the
Indeed. CSRF Guard provides a way of executing pre-defined and/or custom actions when specific errors or potential attacks are detected. These actions implement the TLDR: starting from version 4.0, tokens are not stored on the HTTP session anymore. |
Beta Was this translation helpful? Give feedback.
Hello @deepak229,
Starting from version
4.0a new abstraction layer (LogicalSession) has been introduced to support both stateless and stateful web applications. This means that in case of stateless web apps, there is no container session to rely on. For this reason, theTokenServiceaccesses tokens through theTokenHolderinterface. The reference implementation for this interface is theInMemoryTokenHolder, which can serve both use cases, but you could also create your own implementation for it (e.g. a DatabaseTokenHolder).Sav…