Does csrfguard support multiple web servers in load balancing environment?

[sumaharjan]

csrfguards saves token in memory under ConcurrentHashMap, thus, I doubt if it works in multi stack environment. The request can be served in any of web server which might not have token in memory , hence might treat even legitimate request as threat. Please let me know if there is anything different to my thought. Thanks in advance

[forgedhallpass]

1. If you need session replication you could try tying the tokens back to the session, so they would be automatically replicated (although it would require changes in the library and you would need to find a way for the TokenHolder interface not to depend on HTTP sessions directly, because that would not make sense in case of stateless web apps).

2. Have you considered/tried moving the tokens to a database or to an in-memory cache instead of relying on the InMemoryTokenHolder?

Taken from #121 (comment)