MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #10436
Description
When using the org.springframework.security.web.csrf.CookieCsrfTokenRepository for CSRF protection, no information is stored in the HTTP session. When a org.springframework.security.web.csrf.MissingCsrfTokenException is thrown, because there was no CSRF cookie, the message is misleading and confusing at first:
org.springframework.security.web.csrf.MissingCsrfTokenException: Could not verify the provided CSRF token because your session was not found.
I was scratching my head, "which session!?".
The message is hardcoded in the MissingCsrfTokenException, the exception is thrown in org.springframework.security.web.csrf.CsrfFilter#doFilterInternal when tokenRepository.loadToken returns null.
A very simple fix would be to change the message to something akin to
"Could not verify the provided CSRF token because no token was found in the CSRF token repository."
A slightly more involved fix would create a different message for the different token repository implementations, like "because your session was not found" and "because no cookie was found" respectively, but that would require changing the CsrfTokenRepository interface to add a message getter or some other means by which the CsrfFilter can generate the appropriate message.
If you think either solution is worthwhile, I can provide a pull request.