using csrfGuard without SessionTokenKeyExtractor

[ACM-Unit]

HI,
could you please help me with next question?
Can I use csrfGuard with 4.1.1 version without using org.owasp.csrfguard.LogicalSessionExtractor = org.owasp.csrfguard.session.SessionTokenKeyExtractor
I see following comment in properties file : "Defaults to 'org.owasp.csrfguard.session.ContainerSession', which uses the container's HttpSession in the background"
but if I change it to org.owasp.csrfguard.LogicalSessionExtractor = org.owasp.csrfguard.session.ContainerSession I'll get exception

[forgedhallpass]

Hello @ACM-Unit,

Could you please let me know what exactly you are trying to achieve?

The LogicalSessionExtractor, as the name suggests is intended to extract logical sessions from requests. It has two methods that, return a LogicalSession interface. The default implementation for the LogicalSessionExtractor is the SessionTokenKeyExtractor, which uses a ContainerSession.

If your web application is stateful and uses container sessions (JSESSIONID), then you don't need to change anything, except adding the csrfguard-extension-session dependency (see https://github.com/OWASP/www-project-csrfguard#using-with-maven), where the reference implementation is stored.

Please see the bundled test application for an example.

If your webapp is stateless (e.g. using JWTs), then you'll have to implement your own LogicalSession and LogicalSessionExtractor, where you need to specify how to identify and extract the actor from a request, how to terminate the "user session" and so on.