Menu
I'm trying to find an answer to the following.
csrftoken cookies? csrftoken exists, or is technically valid?I've attached an example screenshot of what I'm seeing multiple csrftoken with various cookie paths, and expiry times ( multitenancy, and various form paths ).
Related:
596
This is a token generated by your server and provided to the client in some way. However, the big difference between a CSRF token and a session cookie is that the client will need to put the CSRF token in a non-cookie header (e.g., XSRF-TOKEN) whenever making a POST request to your backend.
There are different ways to do things (and some are framework specific). The two token process also serves as a good way to solve the CSRF problem. The token in the cookie and on the page are cryptographically linked. So the server has to do this check and proceed with processing this request if everything is good.
This is the most common way to validate CSRF tokens, however, there are scenarios where CSRF tokens do not need to be tied to sessions. An example of this is the double-submit technique. In a CSRF attack, the attacker causes the victim to send a request (the Cross-Site Request that is being Forged) to the server.
However, if your backend is at api.yoursite.com and your SPA is at www.othersite.com, then your frontend will not be able to read the XSRF-TOKEN cookie and you’ll want to go a different route with your CSRF token. Next, the only way this works is if our JavaScript code has access to the cookie.
It is not a requirement to only have one token, but a more common approach would be to update/refresh CSRF token cookie on a single root path: /.
It really depends how your server interprets the potential forms posts that follow each token request. An easy approach is to store a newly generated token on a user's session storage (in memory or database) before setting the cookie. Then compare these two again on the server when the user's form POST arrives.
The browser stores multiple token cookies when each HTTP GET request (which responds with a token) specifies a custom cookie path. A more common approach would be to have one cookie for the purpose of protecting against CSRF.
You could make your tokens path specific, but this would not make your token more secure.
Testing token validity is entirely up to you.
Hope this helps.
170
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
