Click here to Skip to main content
15,843,623 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I have REST API written on PHP with authentication based on JWT. Workflow is simple: user sends username and password and gets JWT token back, with what they will be authenticated on all REST requests. Everything is pretty logic and cool, but now I have a problem with storing token client side, after some googling I found what only HTTP Only, Secure cookies are good for this, but they are vulnerable for CSRF attacks, so I am planning to user CSRF token to solve this problem. And here comes the question, how REST can validate CSRF token, if token issued by client? How REST backend understand what this random string is valid for this request and another random string is not? REST is stateless, he doesn't know what kind of token client have issued because REST and client are on separate backend, even on separate servers.

What I have tried:

REST is stateless, he doesn't know what kind of token client have issued because REST and client are on separate backend, even on separate servers.
Posted
Updated 27-Apr-18 6:27am

1 solution

The client does not issue the CSRF token. That would not be secure, and would not provide any protection.

OWASP provides several suggestions for CSRF protection:
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - OWASP[^]

The custom request headers[^] option would probably be the simplest, but pay attention to the comment about using Flash to bypass this.

You'll probably also want to see if you can add the "SameSite" attribute to your authentication cookie:
Preventing CSRF with the same-site cookie attribute[^]
Cross-Site Request Forgery is dead![^]

Currently supported in Chrome, Opera and Android; and Firefox will add support in v60:
Can I use... 'SameSite' cookie attribute[^]
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900