Closed atulejko closed 8 years ago
My two cents:
I think the biggest issue with a service offering a functionality of simply fetching a CSRF token with a GET request is that an insecure CORS configuration can completely destroy the whole CSRF protection. It must not be this way.
It is advised, that the CSRF token for Single Page Applications is returned once as a login result. This way the CSRF token is given additional protection by the users secret password, so no external resource can simply request the CSRF token again.
I think it's more an OASP4J topic, then OASP4JS. I'd close the issue here and open one for OASP4J.
@marpuch :+1: CSRF token obtained on login seems to be reasonable and robust solution :).
I think it's more an OASP4J topic, then OASP4JS. I'd close the issue here and open one for OASP4J.
I agree. Please create an issue in oasp4j, link here and then close this one. The backend can simply mark in the session if the token has already been obtained and refuse subsequent requests.
Oasp4j issue has been created. This issue can be closed now.
The solution with the separate REST service is not a security issue, but can have the following consequences: