Skip to main content

All Questions

Tagged with
Filter by
Sorted by
Tagged with
-1 votes
1 answer
99 views

CSRF and JWT With Sping Security 6 Stateless REST

I have a question about how to incorporate JWT tokens with CSRF protection when integrating with the Angular framework and Spring security 6. While there numerous posts on whether to use both CSRF ...
Spindoctor's user avatar
0 votes
1 answer
60 views

How to prevent someone from copying POST request from developer tools and modifying request payload?

We are using http-only cookie based JWT authentication in our MERN application. Recently we experienced a suspicious activity from a user. User created an account and then made a POST request with a ...
Salman's user avatar
  • 13
0 votes
0 answers
116 views

Does CSRF protection work when the client and server are hosted on different servers?

I am currently in the development phase of my project, where the client (react) is hosted at localhost:3000, and the server (laravel) is hosted at localhost:8000. I'm implementing CSRF protection, and ...
Elio Bteich's user avatar
0 votes
0 answers
14 views

Is csrf protection required for extremely short lived cookies?

I have an app with token-based authentication . for specific endpoint that serves an pdf file, it was ideal for me to authenticate via cookie. so I creates a cookie with 1 second lifetime , just for ...
ינון רחמים's user avatar
1 vote
0 answers
168 views

Which way is more appropriate implementing authentication using JWT token for an SPA being xss and csrf attack proof?

I'm wondering what is the best way to implement authentication using jwt token mechanism for a react SPA and being fully stateless and xss and csrf attack proof. After a long search I can't find a ...
user177654's user avatar
2 votes
1 answer
4k views

Best way to store tokens in Next.js for authentication

I am working on a Next.js application and implementing authentication using tokens. I have three tokens: accessToken, refreshToken (both are jwt and contain userId, email and role), and csrfToken (...
hantoren's user avatar
  • 1,175
1 vote
1 answer
306 views

Abusing a login form that doesn't have CSRF tokens?

I can't get my head round how a CSRF attack would work with a login form that doesn't use CSRF tokens. This is how the process has been described to me: The victim user logs in to a website that has ...
Jayy's user avatar
  • 14.7k
0 votes
2 answers
1k views

How to use React and Django for user token authentication and storage

What I want to accomplish is a secure and user experience friendly approach to authenticating and storing user's token. As seen here the recommended answer suggests to use a set of two cookies which ...
Ran123's user avatar
  • 85
3 votes
1 answer
264 views

How do disable CSRF for the specific origin

I needed to add auth in Swagger, but I have no idea how to pass the CSRF token to each request. If I disabled the CSRF token protection then it works fine, but its not a solution, so now I need to ...
Triarta's user avatar
  • 61
0 votes
1 answer
765 views

How to implement csrf token into ssr application with express? Seems like csurf is deprecated

I want to implement a csrf token into my application's server sider rendered web page but do not know how this process work and the package I found that tutorial's use is deprecated (csurf). How would ...
MandoMando's user avatar
0 votes
1 answer
72 views

protect_from_forgery and login forms

Reading about how protect_from_forgery works, I came across multiple articles such as this one which explains that the authenticity_token is bound to the user's session. All clear so far. But a ...
Iván Cortés's user avatar
0 votes
0 answers
585 views

Go how to use cookiejar for multiple requests?

I'm trying to make a cli for a site that has csrf, needing the csrf token to be sent on headers and on a form. I can't seem to understand net/http.Client or net/http/cookieJar This its even good ...
RathHunt's user avatar
0 votes
1 answer
468 views

Should i use CSRF token in Rest api

I am creating a login registration system using React on frontend and express js on backend . In this system i will use access and refresh token . When user logs in that user will get access token ...
Study Planet's user avatar
1 vote
1 answer
318 views

Ways to prevent CSRF and have good cookie etiquette on a no-JavaScript login page?

Context: I'm building a website that has a password-locked admin portal. Additionally, JS is only used for progressive enhancement of the 100% already-working site. Security issue: The login form is ...
KarlLightning's user avatar
1 vote
2 answers
1k views

Laravel: CSRF token not needed for login via axios

When I use a form to post to the /login route, a valid CSRF token is needed. <form role="form" method="POST" action="/login"> However, I can login completely ...
Hillcow's user avatar
  • 959
0 votes
1 answer
224 views

Can't connect to specific API from python code using 'requests' library

I am trying to get my python code to connect to a specific API following below guide: https://github.com/specify/specify7/wiki/API-Documentation-Demo I can make it work from a Linux CLI as specified, ...
Fedor Steeman's user avatar
0 votes
1 answer
326 views

CSRF, CORS and my approach to authentication

I've seen many questions about CSRF attacks and GET requests, and I'm trying to work out what I need for my app's authentication system. My stack is an SPA React app hosted at app.site.com, and an API ...
Raph117's user avatar
  • 3,801
3 votes
2 answers
5k views

Laravel project within iframe - CSRF token mismatch

I have a project where I implemented Sanctum to be used as authentication for api calls. This is the way I use it axios.get('/sanctum/csrf-cookie').then(response => { axios.post('/api/login', {...
Matrix's user avatar
  • 466
1 vote
1 answer
890 views

How protect from CSRF Login and Register endpoints (views) of an API created with DRF which use JWT as authentication?

I have been searching and reading other questions and blogs, but I didn't find anything concrete about my doubt. A little of context: I am developing a SPA which works with a REST API in Django by ...
Jony_23's user avatar
  • 352
10 votes
1 answer
6k views

Why not store JWT access token in memory and refresh token in cookie?

A lot of questions have already been asked on the topic of storing JWT tokens securely when dealing with a browser-based application. The consensus seems to be that http-only, secure cookies should be ...
Just van der Veeken's user avatar
1 vote
1 answer
3k views

Invalid CSRF token as a result of session cookie not being set when visiting login form directly

Updating this post following further investigation to ensure it is focussed on the actual issue (also now raised at: https://github.com/symfony/symfony/issues/42691) My Environment I am running: ...
Lushawn's user avatar
  • 794
0 votes
1 answer
299 views

Cannot explain invalid CSRF token rails api

I am currently stuck on a bug in my project which is a rails api backend with a react/redux frontend. For auth im using an httponly cookie and csrf tokens provided by rails, and placed in the headers ...
SVRourke's user avatar
0 votes
1 answer
1k views

How to get csrf token in Jmeter to use for log-in

I'm trying a log-in scenario for a page, but it's getting an error because of the csrf_token and other dynamic parameters that are being generated every time I run the test. How do I get these ...
Omeng's user avatar
  • 33
1 vote
3 answers
497 views

API Authentication best practices for custom REST service

I'll try to keep this as framework-independent as possible, but I will refer to the frameworks I'm personally using to give some context. Also, I'm sorry, but this is a long question. Context: I'm ...
pianka's user avatar
  • 140
1 vote
1 answer
2k views

How do you implement CSRF tokens in django rest framework?

I have noticed that when using django and you make a post request, using a form for example, django asks you to add the csrf token, but when I was fetching data from an api created with django rest ...
Diegoa87's user avatar
  • 189
9 votes
1 answer
3k views

Why does using JWT refresh tokens protect against CSRF during authentication?

I have read a few articles regarding JWT refresh tokens, and how/why they are used. One thing i have seen mentioned here: https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/#persistance ...
Sean's user avatar
  • 647
4 votes
2 answers
2k views

Using Ory/Kratos login/registration API flows

In the documentation, there is a large, bright red warning: Never use API flows to implement Browser applications! Using API flows in Single-Page-Apps as well as server-side apps opens up several ...
user2959071's user avatar
2 votes
1 answer
1k views

Django + Vuejs Not Able to Get Csrftoken from response header

I have an issue regarding setting up Django and Vuejs in order to make them work together. My issue is regarding csrftoken and how this it is passed between Django and Vuejs. Therefore, my setup is as ...
Madalin Popa's user avatar
0 votes
0 answers
406 views

PHP - CSRF Protection with Symfony

I need to create a login form with Symfony and protect it with CSRF protection. So I use FormBuilder of Symfony. When the user enter his email and password and submit the form he stay on the same page ...
Develogg's user avatar
  • 154
0 votes
0 answers
189 views

laravel 7 csrf token change after login

To assign the items in the shopping cart to the user, I use the CSRF token. however, if the user logs in, a new token is automatically generated and the shopping cart is empty. how can I prevent a new ...
Flip's user avatar
  • 1
0 votes
1 answer
796 views

How to generate Joomla login token from outside Joomla

Here's the context. I have a Joomla Backend with tons of custom code in a very old Joomla 1.X version. Everything is still surprisingly holding up well. The site owner wants a new front facing website ...
Olivier Leprohon's user avatar
6 votes
2 answers
5k views

How to refresh CSRF token on login when using cookie authentication without identity in ASP .NET Core Web API

I have an ASP .NET Core 3.1 backend, with angular 9 frontend (based on dotnet angular template, just with updated angular to v9). I use cookie authentication (I know JWT is more suited for SPAs, take ...
yohny's user avatar
  • 172
0 votes
1 answer
214 views

How do popular websites get a secure authentication flow?

I'm creating an application with a react.js frontend and a node.js REST API backend. When searching how to handle authentication mechanism, the answers are always the same, using JWT VS session ID ...
Vincent's user avatar
  • 4,703
0 votes
0 answers
304 views

Is there a way to renew an existing csrf_token in Django?

Currently I have the following registration form in my django app and I am having problems when I try to reload the registration page, that is, whenever the user types an invalid username, email or ...
abautista's user avatar
  • 2,760
27 votes
3 answers
12k views

Next.js Authentication Strategies

I've been trying to implement a reliable authentication flow for a Next.js project but I'm completely lost now. I've already seen the examples repo of Next.js. But I have a lot of questions for a ...
Onur Önder's user avatar
  • 1,032
0 votes
3 answers
498 views

Including Stripe card info in ajax form removes authenticity_token

I have a form_tag using Ajax to save a new user card with Stripe. It renders a Stripe card form, passes the input to a controller method, and then is supposed to serve a js file. It works without the ...
Joe Morano's user avatar
  • 1,845
0 votes
0 answers
60 views

Is it no problem removing token in client side?

I would like to check the user is login or not. At the first time to develope this function, I supposed to use django is_authenticated value but there were many problem with structure with vue and ...
Sammy Kim's user avatar
  • 113
1 vote
0 answers
131 views

Login function works on subdomain but not on main domain

How could it be that i have a script and a login function work on subdomain but not the other? Using same MySQL DB username and password. Identical code wont work. if(isset($_POST['Login'])) { ...
Greenhat's user avatar
1 vote
1 answer
307 views

SF4 autenticator failure in CsrfTokenManager with iOs

Working with Symfony 4, and making an User environment (using SymfonyCast tutorials) I wrote a LoginFormAuthenticator : class LoginFormAuthenticator extends AbstractFormLoginAuthenticator { use ...
D.Picard's user avatar
14 votes
3 answers
3k views

What kind of CSRF attack does state parameter prevent in OAuth2-based authentication?

I'm working on authentication part with Google OAuth2 API. I'm using "server" flow, not "implicit". When implementing step 1 for obtaining code guidelines recommend using the state parameter to ...
fyrkov's user avatar
  • 2,715
0 votes
1 answer
390 views

Django CSRF verification failed on form validation after login with Ajax

My context, I fill my form, I have the possiblity to save the values in the database if I am log in. When I click on the Log in button, I open a bootstrap modal form to log in and I use Ajax/Jquery ...
Anthony's user avatar
  • 73
3 votes
1 answer
2k views

Do I need CSRF protection for /login endpoint?

I know this question has already been asked so many times, but after hours of searching I still don't have a clear answer to my problem. Even projects like https://github.com/pillarjs/understanding-...
Fred Hors's user avatar
  • 4,048
5 votes
2 answers
1k views

Cant log in to mailgun account. "The CSRF session token is missing."

When I try to log in to our mailgun account I get the error message The CSRF session token is missing. I cannot start a support ticket without logging in. When I try to recover our account, it ...
WF51's user avatar
  • 51
0 votes
0 answers
102 views

Django Stale CSRF Token

I set up my django application to perform email confirmation when a user signs up using the code from this tutorial. When I test it, I go to the sign up page, fill out the required fields, and submit. ...
user2253546's user avatar
1 vote
2 answers
2k views

How to login to Flask App when using Locust

First time using Locust. I have a Flask App that requires user to login to access most routes. I cant get Locust to successfully login to my Flask App. Here is my Locust.py file: from locust import ...
WJ.Lesster's user avatar
0 votes
1 answer
396 views

Use Django Rest API From Any Origin

I have a REST API implemented using Django DRF. My API is working just fine when used from my-domain.com, however I would like the API to be accessible from any origin. I have implemented CORS/CSRF ...
user avatar
2 votes
1 answer
525 views

Since macOS Mojave 10.14.6 update with Safari 12.1.2, I'm not able to login in Symfony 4.3 applications anymore

I've updated my MacBook to the latest Mojave 10.14.6 (18G87) version. Since that update I'm not able to login into my Symfony 4.3 applications using Safari anymore. I always get the error message "...
Markus Fischbacher's user avatar
0 votes
4 answers
1k views

Laravel - 419 issues when Submit Form

I have problems when submitting a form in Laravel application. It reported 419 error. My code: <form action="login" method="POST"> <input id="csft_pass" type="hidden" name="_token" ...
Ajax's user avatar
  • 87
0 votes
1 answer
272 views

How to login on website with PHP Curl library?

I want to login to a page on https using the PHP CURL library. Reload this Page. But I couldn't. I could not make the connection from the server or localhost. $username = "[email protected]"; ...
Piketty Thoma's user avatar
1 vote
1 answer
1k views

Unable to find Vuex module action in Nuxt

I'm working on a Nuxt site with a custom Django back end, and I'm trying to set up a mechanism where when the app loads, I call a /token/ URL to get a CSRF token, and then store it in Vuex state to be ...
wonder95's user avatar
  • 4,215