I'm trying to implement Tomcats CSRF protection filter for my web app where the users are stored in a MySQL DB, and due to my controller being written to forward all requests I've edited the filter mapping to
<filter-mapping>
<filter-name>
CSRFPreventionFilter
</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
However as per the OWASP recommendations I'm also invalidating the users session when they log in and then create a new one.
This causes the filter to kick in and I get a 403.
I've looked around but cannot find a way to get the filter to work with this strategy.
So should I abandon the filter or invalidating the session?
Workaround is to define an additional page for a successful login