I had a similar issue last week, and tracked it down to the state field being overwritten by multiple calls to getLoginUrl(). Each time you call getLoginUrl(), a new state token is generated in the SDK and stored in the $_SESSION (it’s just a random value), so if you call it twice and the user … Read more
CSRF protection comes in a number of methods. The traditional way (the “Synchronizer token” pattern) usually involves setting a unique valid Token value for each request and then verifying that unique value when the request is subsequently sent in. It is usually done by setting a hidden form field. The token value is usually short … Read more
Forging arbitrary CSRF requests with arbitrary media types is effectively only possible with XHR, because a form’s method is limited to GET and POST and a form’s POST message body is also limited to the three formats application/x-www-form-urlencoded, multipart/form-data, and text/plain. However, with the form data encoding text/plain it is still possible to forge requests … Read more
You may have missed adding the following to your form: {% csrf_token %}
know, that this should not be possible with XHR (see e.g. Security for cross-origin resource sharing), at least not, if we trust the W3C spec to be implemented correctly in all modern browsers (can we?) At the end of the day you have to “trust” the client browser to safely store user’s data and protect … Read more
New Tomcat version support SameSite cookies via TomcatContextCustomizer. So you should only customize tomcat CookieProcessor, e.g. for Spring Boot: @Configuration public class MvcConfiguration implements WebMvcConfigurer { @Bean public TomcatContextCustomizer sameSiteCookiesConfig() { return context -> { final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor(); cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue()); context.setCookieProcessor(cookieProcessor); }; } } For SameSiteCookies.NONE be aware, that cookies are also Secure … Read more
I think reading CSRF-value from DOM is not a good solution, it’s just a workaround. Here is a document form angularJS official website http://docs.angularjs.org/api/ng.$http : Since only JavaScript that runs on your domain could read the cookie, your server can be assured that the XHR came from JavaScript running on your domain. To take advantage … Read more
Client side (SPA) You only need to grab the CSRF token once per session. You can hold onto it in the browser and send it on every (non-GET) request. Rails will appear to generate a new CSRF token on every request, but it will accept any generated token from that session. In reality, it is … Read more
The problem once again is Angular’s poor documentation. The fact is, Angular will add the X-XSRF-TOKEN header only if the XSRF-TOKEN cookie was generated server-side with the following options: Path = / httpOnly = false (this is very important, and fully undocumented) Besides, the Angular app and the URL being called must reside on the … Read more
Yes, Django csrf framework can be disabled. To manually exclude a view function from being handled by any CSRF middleware, you can use the csrf_exempt decorator, found in the django.views.decorators.csrf module. For example: (see doc) from django.views.decorators.csrf import csrf_exempt @csrf_exempt def my_view: return Httpresponse(“hello world”) ..and then remove {% csrf_token %} inside the forms from … Read more