Closed ghetolay closed 3 years ago
AnthonyDeroche
commented
5 years ago It could be viable although a token-based authentication is not usually using cookies. As browser does not replay the "Authorization" header by itself when you have multiple tabs on the same domain, you are safe against CSRF attacks. By using cookie, you will be exposed.
ghetolay
commented
5 years ago I need cookie to protect static assets (js, css, svg, images...) that you don't load using js and so can't alter the headers sent on the request. Also there is now SameSite attribute to protect againt CSRF.
I've started working on it, I'll open a PR once I'm done.
AnthonyDeroche
commented
5 years ago Ok perfect. Thanks for contributing.
adambrakhane
commented
5 years ago @ghetolay how has this been going? I briefly looked through your changes and things seem pretty well in place.
It has been a while since my C days, but I would love to help out if you need it.
Would it be viable to add an option for the cookie variant ?
We would need to set a cookie (name configurable) at login and during access check for it instead of the Authorization header.