Closed mattproetsch closed 1 month ago
miguelgrinberg
commented
1 month ago which defends against XSS attacks
Not really. This would allow any JS code that runs in your page (like code for one of your dependencies or code that was injected by a malicious user) to send authenticated requests to your server.
mattproetsch
commented
1 month ago which defends against XSS attacks
Not really. This would allow any JS code that runs in your page (like code for one of your dependencies or code that was injected by a malicious user) to send authenticated requests to your server.
Yes, good feedback. I should have said that a cookie with those flags helps defend specifically against credential-stealing XSS attacks. Thanks for approving the run. I forgot to lint before submitting this PR, so let me fix that.
miguelgrinberg
commented
1 month ago Hi, thanks for the PR! I'm trying to see how this can benefit other users. What would be the benefit of using a home grown cookie-based authentication that you disguise as being somewhat similar to HTTP Authentication, instead of using what everybody uses with Flask, which is Flask-Login? This isn't more (or less) secure than Flask-Login, so why not go with the solution most people use?
I've asked above, I would be curious to know if there is any implementations out there that use a solution like the one you are proposing.
mattproetsch
commented
1 month ago Hi Miguel, I really only needed the ApiKey-like functionality in a HttpOnly cookie, which Flask-Login already provides. I should be using that instead. Thanks for pointing me in the right direction.
The behavior of the WWW-Authenticate header and the scheme/realm is because I was trying to keep all the tests passing after starting with the tests for HTTPTokenAuth tests and modifying them to use a cookie instead of a header as a transport - there was no real protocol or product that I was trying to support.
Thanks for your patience (and sorry for the misguided PR).
This allows users to create a
HTTPCookieAuth, which is used likeHTTPTokenAuth, but reads the token value from a cookie in the request instead of from an HTTP header.Using a cookie with
httponly=true; samesite=strict; secure=trueflags can be more secure than reading from an HTTP header because the browser will never allow JavaScript to read the token, which defends against XSS attacks sending the token to other servers. It is just sent automatically by the browser along with any request to the site which set the cookie.