All Questions
13 questions
-1
votes
1
answer
99
views
CSRF and JWT With Sping Security 6 Stateless REST
I have a question about how to incorporate JWT tokens with CSRF protection when integrating with the Angular framework and Spring security 6. While there numerous posts on whether to use both CSRF ...
- 471
0
votes
2
answers
1k
views
How to use React and Django for user token authentication and storage
What I want to accomplish is a secure and user experience friendly approach to authenticating and storing user's token.
As seen here the recommended answer suggests to use a set of two cookies which ...
- 85
0
votes
0
answers
585
views
Go how to use cookiejar for multiple requests?
I'm trying to make a cli for a site that has csrf, needing the csrf token to be sent on headers and on a form.
I can't seem to understand net/http.Client or net/http/cookieJar
This its even good ...
- 19
1
vote
1
answer
318
views
Ways to prevent CSRF and have good cookie etiquette on a no-JavaScript login page?
Context: I'm building a website that has a password-locked admin portal. Additionally, JS is only used for progressive enhancement of the 100% already-working site.
Security issue: The login form is ...
0
votes
1
answer
326
views
CSRF, CORS and my approach to authentication
I've seen many questions about CSRF attacks and GET requests, and I'm trying to work out what I need for my app's authentication system.
My stack is an SPA React app hosted at app.site.com, and an API ...
- 3,801
10
votes
1
answer
6k
views
Why not store JWT access token in memory and refresh token in cookie?
A lot of questions have already been asked on the topic of storing JWT tokens securely when dealing with a browser-based application. The consensus seems to be that http-only, secure cookies should be ...
9
votes
1
answer
3k
views
Why does using JWT refresh tokens protect against CSRF during authentication?
I have read a few articles regarding JWT refresh tokens, and how/why they are used. One thing i have seen mentioned here: https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/#persistance ...
- 647
0
votes
1
answer
272
views
How to login on website with PHP Curl library?
I want to login to a page on https using the PHP CURL library. Reload this Page. But I couldn't. I could not make the connection from the server or localhost.
$username = "[email protected]";
...
0
votes
1
answer
2k
views
NodeJS how to set csrf token correctly?
This is a continuation of this question: Rest-auth still reports the error of "CSRF cookie not set", but I've set the csrf
The code I used for server.js is:
const cookieParser = require(...
- 60
2
votes
1
answer
285
views
Why are auth cookies susceptible to CSRF while auth tokens are not
I have been reading about cookies, local and session storage, and how it all relates to authentication.
One thing I have been reading is that API's generally do not have to be as worried about CSRF ...
- 1,003
373
votes
8
answers
225k
views
Where to store JWT in browser? How to protect against CSRF?
I know cookie-based authentication. SSL and HttpOnly flags can be applied to protect cookie-based authentication from MITM and XSS. However, more special measures will be needed to apply in order to ...
- 5,631
0
votes
1
answer
187
views
Django 1.5, CSRF, Login and Clients that Do Not Allow Cookies
The basic problem is this: when users who don't allow cookies try to login to my Django site, they get an CSRF error and are redirected to a 403 Forbidden page. It would be much better if they got a ...
- 1,089
14
votes
2
answers
21k
views
csrf attacks and double submitted cookie
The below quote is from http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html
When a user visits a site, the site should generate a
(cryptographically strong) ...
- 47.4k