You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -54,7 +54,7 @@ Vaadin follows the "Synchronizer Token Pattern". See the link:https://cheatsheet
UIDL requests are protected by `Vaadin-Security-Key` CSRF token. WebSocket requests are protected with `Vaadin-Push-ID` CSRF token.
This key is generated by Vaadin per UI instance -- Vaadin 10 is an exception in that the key is generated per session. It's sent to the browser as a part of UIDL JSON string included in the bootstrap response (i.e., initial HTML page) from the server. The key is sent by the server to the client only once per opened browser tab, and not repeated in each response. When the page is refreshed or the user opens a new tab, another key is generated by Vaadin and sent to the browser.
This key is generated by Vaadin per UI instance -- version 10 is an exception in that the key is generated per session. It's sent to the browser as a part of UIDL JSON string included in the bootstrap response (i.e., initial HTML page) from the server. The key is sent by the server to the client only once per opened browser tab, and not repeated in each response. When the page is refreshed or the user opens a new tab, another key is generated by Vaadin and sent to the browser.
Here's an example of sending CSRF tokens to the client, with other data omitted:
