Skip to content

[24.8] CSRF token handling is broken in Stateless Security #3697

New issue
New issue
Closed
vaadin/flow
#21939
Closed
[24.8] CSRF token handling is broken in Stateless Security#3697
vaadin/flow
#21939
Assignees
platosha
Labels
Impact: HighSeverity: MajorbugSomething isn't workinghillaIssues related to Hilla
@taefi

Description

@taefi
taefi
opened on Jul 1, 2025

Describe the bug

Based on the reports in the forum post about abnormal behavior of CSRF token handing in applications with stateless security, it seems that the changes for sharing the CSRF token with Service Worker introduced a bug that results in getting 401 for subsequent requests after a successful login.
Disabling the CSRF (which makes the application work) is not an option in production since it makes the application vulnerable.

Expected-behavior

As by default the JWT token is set in cookies, the application should work with CSRF enabled.

Reproduction

Needs reproduction.

System Info

V24.8

Metadata

Metadata

Assignees

Labels

Impact: HighSeverity: MajorbugSomething isn't workinghillaIssues related to Hilla

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions