In general, it suffices to have just one token per session, a so called per-session token: In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires. If you … Read more
If you do it per form request – then you basically remove the ability for CSRF attacks to occur & you can solve another common issue: multiple form submission In simple terms – your application will only accept form input if the user ASKED for the form prior to the submission. Normal scenario: User A … Read more
Old question but security is important enough that I feel it deserves a complete answer. As discussed in this question there are still some risk of CSRF even with APIs. Yes browsers are supposed to guard against this by default, but as you don’t have complete control of the browser and plugins the user has … Read more
Jimbo did an awesome job explaining the “why” behind the issue you’re running into. There are two approaches you can take to resolve the issue: (As recommended by Jimbo) Override Devise::SessionsController to return the new csrf-token: class SessionsController < Devise::SessionsController def destroy # Assumes only JSON requests signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)) render … Read more
Now that Angular 2 is released the following seems to be the correct way of doing this, by using CookieXSRFStrategy. I’ve configured my application to have a core module but you can do the same in your main application module instead: import { ModuleWithProviders, NgModule, Optional, SkipSelf } from ‘@angular/core’; import { CommonModule } from … Read more
Theory A couple of things are required to make the csrf protection work (check out the docs): Your browser has to accept cookies from your server Make sure you have ‘django.middleware.csrf.CsrfViewMiddleware’ included as middleware in your settings.py (alternatively use the decorator csrf_protect() on particular views you want to protect) Make sure you pass on the … Read more
You can handle TokenMismatchException Exception in App\Exceptions\Handler.php <?php namespace App\Exceptions; use Exception; use Illuminate\Foundation\Exceptions\Handler as ExceptionHandler; use Illuminate\Session\TokenMismatchException; class Handler extends ExceptionHandler { /** * A list of the exception types that should not be reported. * * @var array */ protected $dontReport = [ ‘Symfony\Component\HttpKernel\Exception\HttpException’ ]; /** * Report or log an exception. * … Read more
I found some information about CSRF + using no cookies for authentication: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/ “since you are not relying on cookies, you don’t need to protect against cross site requests” http://angular-tips.com/blog/2014/05/json-web-tokens-introduction/ “If we go down the cookies way, you really need to do CSRF to avoid cross site requests. That is something we can forget when … Read more
If you are using @annotations, and the jsp view like this: <form:form id=”profileForm” action=”profile?id=${param.id}” method=”POST” modelAttribute=”appUser” enctype=”multipart/form-data” > … <input type=”file” name=”file”> … <input type=”hidden” name=”${_csrf.parameterName}” value=”${_csrf.token}” /> </form:form> this may help: AppConfig.java : @EnableWebMvc @Configuration @Import({ SecurityConfig.class }) public class AppConfig { @Bean(name = “filterMultipartResolver”) public CommonsMultipartResolver filterMultipartResolver() { CommonsMultipartResolver filterMultipartResolver = new CommonsMultipartResolver(); … Read more
For the specific controller / actions you can disable CSRF validation like so: use Yii; … Yii::$app->controller->enableCsrfValidation = false; Or inside a controller: $this->enableCsrfValidation = false; Take a look at $enableCsrfValidation property of yii\web\Controller. Update: Here is some specification. If you want to disable CSRF validation for individual action(s) you need to do it in … Read more