# IT:AD:CSRF:HowTo:SPA #  



<callout type="Navigation" class="small">

* [[../|(UP)]]
{{indexmenu>.#2|nsort tsort}}


</callout>


<panel title="Summary">

ASP.MVC and ASP.NET both use in-post data as well as cookies.

That's plain old dangerous in a SPA application.


</panel>


## Process ##

There are a variety of ways to implement this approach but the real key is that the server doesn’t validate a user based on a cookie, it instead validates the user with a customer HTTP header.

* The user navigates in their browser to the application
* The server returns a basic web page and a JavaScript application
* The JavaScript application can’t find an authentication token in the web site’s cookies
* The JavaScript application displays a login form
* The user enters correct login credentials and then submits the form
* The server validates the login information and creates an authentication token for the user
* The server sets the authentication token in a cookie and returns it to the JavaScript application
* The JavaScript application makes a request for some protected data, sending the authentication token in a custom header
* The server validates the token and then returns the data


## Resources ##
* http://rdbhost.blogspot.co.nz/2013/04/cookies-are-harmful-in-single-page-apps.html
* http://www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services
* http://stephenwalther.com/archive/2013/03/05/security-issues-with-single-page-apps