All Questions
Tagged with csrf authentication
148 questions
-1
votes
1
answer
99
views
CSRF and JWT With Sping Security 6 Stateless REST
I have a question about how to incorporate JWT tokens with CSRF protection when integrating with the Angular framework and Spring security 6. While there numerous posts on whether to use both CSRF ...
0
votes
1
answer
60
views
How to prevent someone from copying POST request from developer tools and modifying request payload?
We are using http-only cookie based JWT authentication in our MERN application.
Recently we experienced a suspicious activity from a user. User created an account and then made a POST request with a ...
0
votes
0
answers
116
views
Does CSRF protection work when the client and server are hosted on different servers?
I am currently in the development phase of my project, where the client (react) is hosted at localhost:3000, and the server (laravel) is hosted at localhost:8000. I'm implementing CSRF protection, and ...
0
votes
0
answers
14
views
Is csrf protection required for extremely short lived cookies?
I have an app with token-based authentication .
for specific endpoint that serves an pdf file, it was ideal for me to authenticate via cookie.
so I creates a cookie with 1 second lifetime , just for ...
1
vote
0
answers
168
views
Which way is more appropriate implementing authentication using JWT token for an SPA being xss and csrf attack proof?
I'm wondering what is the best way to implement authentication using jwt token mechanism for a react SPA and being fully stateless and xss and csrf attack proof.
After a long search I can't find a ...
2
votes
1
answer
4k
views
Best way to store tokens in Next.js for authentication
I am working on a Next.js application and implementing authentication using tokens. I have three tokens: accessToken, refreshToken (both are jwt and contain userId, email and role), and csrfToken (...
1
vote
1
answer
306
views
Abusing a login form that doesn't have CSRF tokens?
I can't get my head round how a CSRF attack would work with a login form that doesn't use CSRF tokens.
This is how the process has been described to me:
The victim user logs in to a website that has ...
0
votes
2
answers
1k
views
How to use React and Django for user token authentication and storage
What I want to accomplish is a secure and user experience friendly approach to authenticating and storing user's token.
As seen here the recommended answer suggests to use a set of two cookies which ...
3
votes
1
answer
264
views
How do disable CSRF for the specific origin
I needed to add auth in Swagger, but I have no idea how to pass the CSRF token to each request. If I disabled the CSRF token protection then it works fine, but its not a solution, so now I need to ...
0
votes
1
answer
765
views
How to implement csrf token into ssr application with express? Seems like csurf is deprecated
I want to implement a csrf token into my application's server sider rendered web page but do not know how this process work and the package I found that tutorial's use is deprecated (csurf). How would ...
0
votes
1
answer
72
views
protect_from_forgery and login forms
Reading about how protect_from_forgery works, I came across multiple articles such as this one which explains that the authenticity_token is bound to the user's session. All clear so far. But a ...
0
votes
0
answers
585
views
Go how to use cookiejar for multiple requests?
I'm trying to make a cli for a site that has csrf, needing the csrf token to be sent on headers and on a form.
I can't seem to understand net/http.Client or net/http/cookieJar
This its even good ...
0
votes
1
answer
468
views
Should i use CSRF token in Rest api
I am creating a login registration system using React on frontend and express js on backend .
In this system i will use access and refresh token . When user logs in that user will get access token ...
1
vote
1
answer
318
views
Ways to prevent CSRF and have good cookie etiquette on a no-JavaScript login page?
Context: I'm building a website that has a password-locked admin portal. Additionally, JS is only used for progressive enhancement of the 100% already-working site.
Security issue: The login form is ...
1
vote
2
answers
1k
views
Laravel: CSRF token not needed for login via axios
When I use a form to post to the /login route, a valid CSRF token is needed.
<form role="form" method="POST" action="/login">
However, I can login completely ...
0
votes
1
answer
224
views
Can't connect to specific API from python code using 'requests' library
I am trying to get my python code to connect to a specific API following below guide:
https://github.com/specify/specify7/wiki/API-Documentation-Demo
I can make it work from a Linux CLI as specified, ...
0
votes
1
answer
326
views
CSRF, CORS and my approach to authentication
I've seen many questions about CSRF attacks and GET requests, and I'm trying to work out what I need for my app's authentication system.
My stack is an SPA React app hosted at app.site.com, and an API ...
3
votes
2
answers
5k
views
Laravel project within iframe - CSRF token mismatch
I have a project where I implemented Sanctum to be used as authentication for api calls. This is the way I use it
axios.get('/sanctum/csrf-cookie').then(response => {
axios.post('/api/login', {...
1
vote
1
answer
890
views
How protect from CSRF Login and Register endpoints (views) of an API created with DRF which use JWT as authentication?
I have been searching and reading other questions and blogs, but I didn't find anything concrete about my doubt.
A little of context:
I am developing a SPA which works with a REST API in Django by ...
10
votes
1
answer
6k
views
Why not store JWT access token in memory and refresh token in cookie?
A lot of questions have already been asked on the topic of storing JWT tokens securely when dealing with a browser-based application. The consensus seems to be that http-only, secure cookies should be ...
1
vote
1
answer
3k
views
Invalid CSRF token as a result of session cookie not being set when visiting login form directly
Updating this post following further investigation to ensure it is focussed on the actual issue (also now raised at: https://github.com/symfony/symfony/issues/42691)
My Environment
I am running:
...
0
votes
1
answer
299
views
Cannot explain invalid CSRF token rails api
I am currently stuck on a bug in my project which is a rails api backend with a react/redux frontend.
For auth im using an httponly cookie and csrf tokens provided by rails, and placed in the headers ...
0
votes
1
answer
1k
views
How to get csrf token in Jmeter to use for log-in
I'm trying a log-in scenario for a page, but it's getting an error because of the csrf_token and other dynamic parameters that are being generated every time I run the test. How do I get these ...
1
vote
3
answers
497
views
API Authentication best practices for custom REST service
I'll try to keep this as framework-independent as possible, but I will refer to the frameworks I'm personally using to give some context. Also, I'm sorry, but this is a long question.
Context: I'm ...
1
vote
1
answer
2k
views
How do you implement CSRF tokens in django rest framework?
I have noticed that when using django and you make a post request, using a form for example, django asks you to add the csrf token, but when I was fetching data from an api created with django rest ...
9
votes
1
answer
3k
views
Why does using JWT refresh tokens protect against CSRF during authentication?
I have read a few articles regarding JWT refresh tokens, and how/why they are used. One thing i have seen mentioned here: https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/#persistance ...
4
votes
2
answers
2k
views
Using Ory/Kratos login/registration API flows
In the documentation, there is a large, bright red warning:
Never use API flows to implement Browser applications!
Using API flows in Single-Page-Apps as well as server-side apps opens up several ...
2
votes
1
answer
1k
views
Django + Vuejs Not Able to Get Csrftoken from response header
I have an issue regarding setting up Django and Vuejs in order to make them work together. My issue is regarding csrftoken and how this it is passed between Django and Vuejs.
Therefore, my setup is as ...
0
votes
0
answers
406
views
PHP - CSRF Protection with Symfony
I need to create a login form with Symfony and protect it with CSRF protection.
So I use FormBuilder of Symfony.
When the user enter his email and password and submit the form he stay on the same page ...
0
votes
0
answers
189
views
laravel 7 csrf token change after login
To assign the items in the shopping cart to the user, I use the CSRF token. however, if the user logs in, a new token is automatically generated and the shopping cart is empty.
how can I prevent a new ...
0
votes
1
answer
796
views
How to generate Joomla login token from outside Joomla
Here's the context. I have a Joomla Backend with tons of custom code in a very old Joomla 1.X version. Everything is still surprisingly holding up well. The site owner wants a new front facing website ...
6
votes
2
answers
5k
views
How to refresh CSRF token on login when using cookie authentication without identity in ASP .NET Core Web API
I have an ASP .NET Core 3.1 backend, with angular 9 frontend (based on dotnet angular template, just with updated angular to v9).
I use cookie authentication (I know JWT is more suited for SPAs, take ...
0
votes
1
answer
214
views
How do popular websites get a secure authentication flow?
I'm creating an application with a react.js frontend and a node.js REST API backend.
When searching how to handle authentication mechanism, the answers are always the same, using JWT VS session ID ...
0
votes
0
answers
304
views
Is there a way to renew an existing csrf_token in Django?
Currently I have the following registration form in my django app and I am having problems when I try to reload the registration page, that is, whenever the user types an invalid username, email or ...
27
votes
3
answers
12k
views
Next.js Authentication Strategies
I've been trying to implement a reliable authentication flow for a Next.js project but I'm completely lost now. I've already seen the examples repo of Next.js. But I have a lot of questions for a ...
0
votes
3
answers
498
views
Including Stripe card info in ajax form removes authenticity_token
I have a form_tag using Ajax to save a new user card with Stripe. It renders a Stripe card form, passes the input to a controller method, and then is supposed to serve a js file. It works without the ...
0
votes
0
answers
60
views
Is it no problem removing token in client side?
I would like to check the user is login or not.
At the first time to develope this function, I supposed to use django is_authenticated value but there were many problem with structure with vue and ...
1
vote
0
answers
131
views
Login function works on subdomain but not on main domain
How could it be that i have a script and a login function work on subdomain but not the other? Using same MySQL DB username and password. Identical code wont work.
if(isset($_POST['Login'])) {
...
1
vote
1
answer
307
views
SF4 autenticator failure in CsrfTokenManager with iOs
Working with Symfony 4, and making an User environment (using SymfonyCast tutorials) I wrote a LoginFormAuthenticator :
class LoginFormAuthenticator extends AbstractFormLoginAuthenticator
{
use ...
14
votes
3
answers
3k
views
What kind of CSRF attack does state parameter prevent in OAuth2-based authentication?
I'm working on authentication part with Google OAuth2 API.
I'm using "server" flow, not "implicit".
When implementing step 1 for obtaining code guidelines recommend using the state parameter to ...
0
votes
1
answer
390
views
Django CSRF verification failed on form validation after login with Ajax
My context, I fill my form, I have the possiblity to save the values in the database if I am log in.
When I click on the Log in button, I open a bootstrap modal form to log in and I use Ajax/Jquery ...
3
votes
1
answer
2k
views
Do I need CSRF protection for /login endpoint?
I know
this question has already been asked so many times, but after hours of searching I still don't have a clear answer to my problem.
Even projects like https://github.com/pillarjs/understanding-...
5
votes
2
answers
1k
views
Cant log in to mailgun account. "The CSRF session token is missing."
When I try to log in to our mailgun account I get the error message
The CSRF session token is missing.
I cannot start a support ticket without logging in. When I try to recover our account, it ...
0
votes
0
answers
102
views
Django Stale CSRF Token
I set up my django application to perform email confirmation when a user signs up using the code from this tutorial. When I test it, I go to the sign up page, fill out the required fields, and submit. ...
1
vote
2
answers
2k
views
How to login to Flask App when using Locust
First time using Locust. I have a Flask App that requires user to login to access most routes.
I cant get Locust to successfully login to my Flask App.
Here is my Locust.py file:
from locust import ...
0
votes
1
answer
396
views
Use Django Rest API From Any Origin
I have a REST API implemented using Django DRF.
My API is working just fine when used from my-domain.com, however I would like the API to be accessible from any origin.
I have implemented CORS/CSRF ...
2
votes
1
answer
525
views
Since macOS Mojave 10.14.6 update with Safari 12.1.2, I'm not able to login in Symfony 4.3 applications anymore
I've updated my MacBook to the latest Mojave 10.14.6 (18G87) version.
Since that update I'm not able to login into my Symfony 4.3 applications using Safari anymore. I always get the error message "...
0
votes
4
answers
1k
views
Laravel - 419 issues when Submit Form
I have problems when submitting a form in Laravel application. It reported 419 error.
My code:
<form action="login" method="POST">
<input id="csft_pass" type="hidden" name="_token" ...
0
votes
1
answer
272
views
How to login on website with PHP Curl library?
I want to login to a page on https using the PHP CURL library. Reload this Page. But I couldn't. I could not make the connection from the server or localhost.
$username = "[email protected]";
...
1
vote
1
answer
1k
views
Unable to find Vuex module action in Nuxt
I'm working on a Nuxt site with a custom Django back end, and I'm trying to set up a mechanism where when the app loads, I call a /token/ URL to get a CSRF token, and then store it in Vuex state to be ...