it:ad:csrf:howto:mitigate_on_spa

IT:AD:CSRF:HowTo:SPA

Summary

ASP.MVC and ASP.NET both use in-post data as well as cookies.

That's plain old dangerous in a SPA application.

Process

There are a variety of ways to implement this approach but the real key is that the server doesn’t validate a user based on a cookie, it instead validates the user with a customer HTTP header.

  • The user navigates in their browser to the application
  • The server returns a basic web page and a JavaScript application
  • The JavaScript application can’t find an authentication token in the web site’s cookies
  • The JavaScript application displays a login form
  • The user enters correct login credentials and then submits the form
  • The server validates the login information and creates an authentication token for the user
  • The server sets the authentication token in a cookie and returns it to the JavaScript application
  • The JavaScript application makes a request for some protected data, sending the authentication token in a custom header
  • The server validates the token and then returns the data

Resources

* http://rdbhost.blogspot.co.nz/2013/04/cookies-are-harmful-in-single-page-apps.html * http://www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services * http://stephenwalther.com/archive/2013/03/05/security-issues-with-single-page-apps

  • /home/skysigal/public_html/data/pages/it/ad/csrf/howto/mitigate_on_spa.txt
  • Last modified: 2023/11/04 03:39
  • by 127.0.0.1