It looks like it's just a bug.
By looking at the history of the function onAuthentication
, we can see that the first implementation only had the line:
this.csrfTokenRepository.saveToken(null, request, response);
Then, it was refactored by adding:
CsrfToken newToken = this.csrfTokenRepository.generateToken(request);
this.csrfTokenRepository.saveToken(newToken, request, response);
The first line with saveToken(null, ...)
was never removed, despite serving no purpose.
In a comment, AlphaD pointed to a comment on a github issue explaining why the first line was kept:
it is first invalidating the cookie and then setting the cookie. That is expected if you log out and then try and use a token
Which should not be needed because the second Set-Cookie:
should overwrite the previous cookie, thus invalidating it. In fact, this "obvious" behavior is not specified, so browsers are also free to discard the second declaration of a cookie with a conflicting name, which would break the expected behavior by the Spring developers.
Indeed, RFC6265 asks not ot use to Set-Cookie:
with the same cookie-name (here XSRF-TOKEN
), so this behavior is a pattern that is explicitly discouraged:
Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name. (See Section 5.2 for
how user agents handle this case.)
Since this pattern should not happen and the RFC does not provide further recommendations, browsers are free to interpret it how they wish. Compatibility breaks with some browsers could happen at any time if they update their algorithm.