Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CSRF Token necessary when using Stateless(= Sessionless) Authentication?

People also ask

Is CSRF token stateless?

Stateless CSRF Protection The server no longer has to worry about it, and encryption keeps the token secure while the browser stores it. We have moved the "state" from your server to the user's browser.

Is CSRF token necessary?

CSRF tokens prevent CSRF because without token, attacker cannot create a valid requests to the backend server. CSRF tokens should not be transmitted using cookies. The CSRF token can be added through hidden fields, headers, and can be used with forms, and AJAX calls.

Is CSRF token necessary for REST API?

The CSRF token is required for any later REST API calls. The client must send a valid token with every API request. The token is sent in a custom request HTTP header. The name of the custom header is X-IBM-SPM-CSRF.

When should CSRF token be generated?

A CSRF Token is a secret, unique and unpredictable value a server-side application generates in order to protect CSRF vulnerable resources. The tokens are generated and submitted by the server-side application in a subsequent HTTP request made by the client.


I found some information about CSRF + using no cookies for authentication:

  1. https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
    "since you are not relying on cookies, you don't need to protect against cross site requests"

  2. http://angular-tips.com/blog/2014/05/json-web-tokens-introduction/
    "If we go down the cookies way, you really need to do CSRF to avoid cross site requests. That is something we can forget when using JWT as you will see."
    (JWT = Json Web Token, a Token based authentication for stateless apps)

  3. http://www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services
    "The easiest way to do authentication without risking CSRF vulnerabilities is to simply avoid using cookies to identify the user"

  4. http://sitr.us/2011/08/26/cookies-are-bad-for-you.html
    "The biggest problem with CSRF is that cookies provide absolutely no defense against this type of attack. If you are using cookie authentication you must also employ additional measures to protect against CSRF. The most basic precaution that you can take is to make sure that your application never performs any side-effects in response to GET requests."

There are plenty more pages, which state that you don't need any CSRF protection, if you don't use cookies for authentication. Of course you can still use cookies for everything else, but avoid storing anything like session_id inside it.


If you need to remember the user, there are 2 options:

  1. localStorage: An in-browser key-value store. The stored data will be available even after the user closes the browser window. The data is not accessible by other websites, because every site gets its own storage.

  2. sessionStorage: Also an in browser data store. The difference is: The data gets deleted when the user closes the browser window. But it is still useful, if your webapp consists of multiple pages. So you can do the following:

  • User logs in, then you store the token in sessionStorage
  • User clicks a link, which loads a new page (= a real link, and no javascript content-replace)
  • You can still access the token from sessionStorage
  • To logout, you can either manually delete the token from sessionStorage or wait for the user to close the browser window, which will clear all stored data.

(for both have a look here: http://www.w3schools.com/html/html5_webstorage.asp )


Are there any official standards for token auth?

JWT (Json Web Token): I think it's still a draft, but it's already used by many people and the concept looks simple and secure. (IETF: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-json-web-token-25 )
There are also libraries for lot's of framework available. Just google for it!


TL;DR

A JWT, if used without Cookies, negates the need for a CSRF token - BUT! by storing JWT in session/localStorage, your expose your JWT and user's identity if your site has an XSS vulnerability (fairly common). It is better to add a csrfToken key to the JWT and store the JWT in a cookie with secure and http-only attributes set.

Read this article with a good description for more info https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

You can make this CSRF protection stateless by including a xsrfToken JWT claim:

{ "iss": "http://galaxies.com", "exp": 1300819380, "scopes": ["explorer", "solar-harvester", "seller"], "sub": "[email protected]", "xsrfToken": "d9b9714c-7ac0-42e0-8696-2dae95dbc33e" }

So you will need to store the csrfToken in localStorage/sessionStorage as well as in the JWT itself (which is stored in a http-only and secure cookie). Then for csrf protection, verify that the csrf token in the JWT matches the submitted csrf-token header.