LocaleChangeInterceptor not protected against CSRF [SPR-13032]

**[Mark Janssen](https://jira.spring.io/secure/ViewProfile.jspa?name=praseodym)** opened **[SPR-13032](https://jira.spring.io/browse/SPR-13032?redirect=false)** and commented

When [Spring Security CSRF protection](http://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-configure) is enabled, all POST requests are protected against CSRF. [Logout requests are made HTTP POST-only](http://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-logout) to prevent against malicious logouts.

The LocaleChangeInterceptor also changes the user's (session) state, but is not protected against CSRF by default. In addition, there is no configuration option available to make it POST-only.

---

**Affects:** 4.1.6

**Issue Links:**
- #21241 CookieLocaleResolver is not RFC6265 compliant when setting a locale and time zone
- #14091 Better handling of illegal locale values in LocaleChangeInterceptor

**Referenced from:** commits https://github.com/spring-projects/spring-framework/commit/90d54285d292fca38727700874824092fb6a3dc9, https://github.com/spring-projects/spring-framework/commit/0dd320f92e31d516df9c5f85d4ddbe16ffeaa2cc


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

LocaleChangeInterceptor not protected against CSRF [SPR-13032] #17624

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

LocaleChangeInterceptor not protected against CSRF [SPR-13032] #17624

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions