Issue
I have a problem with CSRF implementation in a Symfony REST project. I'm using AngularJS, a AuthToken cookie is stored using NG $cookie service, and sended to server in every request in a X-Auth-Token header, the problem do I really need to implement a CSRF protection?
Other question, if the answer was yes, how can I do that with Symfony? Because it store tokens in server sessions, which is not RESTful, what is the best method to implement a Django like CSRF system for example (I guess they store the CSRF token in a cookie and then compare it to the form input token?
Sorry for my bad english, thanks!
Solution
Basically you need CSRF protection when an attacker (from his own application) can make a user of yours inadvertently issue a valid request to your application that changes server state.
In short this mostly means non-GET requests (unless GETs change stuff, which they should not) with cookie-based authentication, because cookies will get sent even if the request was made from another website.
If you have the access token (used for authentication) in a header, you need to add that to requests in the Angular app, and an attacker will not be able to do that, so you don't need CSRF protection.
In case of token based authentication where the token is sent as a cookie, it would need CSRF protection. That would essentially be the same as plain cookie auth in this regard.
Answered By - Gabor Lengyel
Posts
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.