Closed ghetolay closed 3 years ago
It could be viable although a token-based authentication is not usually using cookies. As browser does not replay the "Authorization" header by itself when you have multiple tabs on the same domain, you are safe against CSRF attacks. By using cookie, you will be exposed.
I need cookie to protect static assets (js, css, svg, images...) that you don't load using js and so can't alter the headers sent on the request. Also there is now SameSite
attribute to protect againt CSRF.
I've started working on it, I'll open a PR once I'm done.
Ok perfect. Thanks for contributing.
@ghetolay how has this been going? I briefly looked through your changes and things seem pretty well in place.
It has been a while since my C days, but I would love to help out if you need it.
Would it be viable to add an option for the cookie variant ?
We would need to set a cookie (name configurable) at login and during access check for it instead of the Authorization header.