Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

JWT + cookies + HTTPS + CSRF

Tags:

https

cookies

token

csrf

jwt

I already worked with JWT on mobile app but I will implement it on a website for the first time for the authentication and I have a little thing I still didn't understood :

  • if I use JWT token with localStorage, XSS attacks are possible
  • if I use JWT token with cookies, CRSF attacks are possible

..., but if I use JWT token over HTTPS with httpOnly+secure cookies and a token lifetime of 1 month, are CSRF attacks still possible in this case ?

I see all over the web for custom token with cookie or custom token with localStorage or JWT but I didn't explicitly get the answer of httpOnly+secure cookie + JWT + HTTPS + the need of CSRF.

like image 293
Alex Avatar asked Feb 10 '16 11:02

Alex

People also ask

Is CSRF needed with JWT?

There's no way someone can abuse XSS and take your JWT to impersonate you. If you put your JWTs in a header, you don't need to worry about CSRF.

Is HTTPOnly cookie safe from CSRF?

The answer is no - the HTTPOnly flag will not mitigate any of this. But let us concentrate on solving CSRF issue.

Should CSRF token be in cookie?

CSRF tokens should not be transmitted using cookies. Inserting the CSRF token in the custom HTTP request header via JavaScript is considered more secure than adding the token in the hidden field form parameter because it uses custom request headers.

Do same site cookies prevent CSRF?

Using one of the following values in the SameSite attribute of a session cookie, a website can protect itself from CSRF attack. Cookies set with SameSite : strict will disable cookies being sent to all third party websites.

1 Answers

If you are using JWT as an authentication token, it should be stored as a cookie marked httpOnly and secure, as apposed to using Local/Session Storage. As you mention, this protects against XSS attacks, where we are concerned about malicious JavaScript being injected into our page and stealing our session token.

  • A cookie marked httpOnly cannot be read by JavaScript, so it cannot be stolen in an XSS attack.
  • Local/Session Storage, however, can be read by JavaScript, so putting the session token there would make it vulnerable to an XSS attack.

However, making the session token cookie httpOnly and secure still leaves you vulnerable to CSRF attacks. To see why, remember that cookies are marked with the domain from which they originated, and the browser only sends cookies that match the domain to which the request is being sent (independent of the domain of the page the request was sent from). For example, suppose I'm signed into stackoverflow.com in one tab, and in another tab go to evil.com. If evil.com makes an ajax call to stackoverflow.com/delete-my-account, my stackoverflow authentication token cookie will be sent to the stackoverflow server. Unless that endpoint is protecting against CSRF, my account will be deleted.

There are techniques for preventing CSRF attacks. I would recommend reading this OWASP page on CSRF attacks and preventions.

like image 54
kuporific Avatar answered Sep 17 '22 15:09

kuporific
Sign in to Comment

Related questions

Cookie not being set in iframe
Can a subdomain delete a domain cookie?
CookieParser vs req.cookies expressjs
Why are cookies called "cookies"?
What is the difference between JWT and signed cookies?
Issue with storing and recalling cookies Javascript
How to use getServerSideProps for every pages in next.js?
read cookie value in jquery
Is there a Rack middleware for using sessions without cookies?
Auth with Unirest JAVA
Are there any viable alternatives to "classic" cookie authentication?
Server Sent Event Client with additional Cookie
Same-site flags were removed in Chromium 91 - How can I disable them for local development?
Different types of browser storage
Where cookie is managed in phonegap app with jquery?
Sharing data between php and node.js via cookie securely
How does a web beacon(web bug) work?
'Remember-me' authentication feature, does it always mean 'Unsecure' Website?
How does x11 authorization works? (MIT Magic Cookie)
Include cookie in swagger doc requests

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!