how to implement csrf protection for cross domain requests
I have two web apps, one for the Web UI in AngularJS and one for the REST webservices in Java. Both are deployed on separate domains.
The applications uses cookie for au
-
You were on the right track with this:
I also tried to implement the creation of the csrf cookie on the Web UI itself in the browser but the browser does not send the cookie to the webservice as its in different domain.
The CSRF cookie isn't meant to be "sent" to the server, it is meant to be read by the client and then supplied in a custom HTTP request header. Forged GET requests (triggered by HTML tags such as
Here is how you can implement the idea you were working on, imagine you have
api.domain.comandui.domain.com:1) User loads the Angular client from
ui.domain.com2) User posts authentication information from Angular client to
api.domain.com2) Sever replies with an
HttpOnlyauthentication cookie, calledauthCookie, and a custom header e.g.X-Auth-Cookie, where the value of this header is a unique value that is linked to the session that is identified by theauthCookie3) The Angular client reads the
X-Auth-Cookieheader value and stores that value in aXSRF-TOKENcookie on its domain,ui.domain.comSo now you have:
XSRF-TOKENcookie onui.domain.comauthCookiecookie onapi.domain.com
4) User makes a request of a protected resource on
api.domain.com. The browser will automatically supply theauthCookievalue, and Angular will automatically send theX-XSRF-TOKENheader, and will send the value that it reads from theXSRF-TOKENcookie5) Your server asserts that the value of
X-XSRF-TOKENis linked to the same session that is identified by the value of theauthCookieI hope this helps! I've also written about token authentication for Angular, Token Based Authentication for Single Page Apps (SPAs) (Disclaimer: I work at at Stormpath)
加载中...
- 热议问题