I am new to web security and implementation of same using spring-security. One important concept is prevention from CSRF using CSRF token. Spring security has provided two ways to manage CSRF token
CookieCsrfTokenRepository
HttpSessionCsrfTokenRepository
However I am not able to understand which one should be used as I can see cons in both the approach.
CookieCsrfTokenRepository is asking to set HTTP only property to false in cookie so that javascript can read it and add the same to in further request. However as per my understanding, setting http only as false is not recommended as malicious script can also read the cookie and share the same token in the forged request.
HttpSessionCsrfTokenRepository is storing the csrf token in session. In this case, we need to introduce session stickiness or session replication in case of distributed environment however recommendation is to go for stateless application.
So please some let me know if my above understanding is correct or not. If correct, which option do we need to select for csrf token implementation.
However as per my understanding, setting http only as false is not recommended as malicious script can also read the cookie and share the same token in the forged request.
I believe this would be true if a) you have an XSS vulnerability on your site or b) you did not set the Domain of the cookie. The rest of your question seems opinion-based to me.
however recommendation is to go for stateless application.
Note: The following is simply my opinion on the matter, as it's difficult to argue for/against statelessness in general.
This is an example where security requires state, so to protect the csrf token and avoid your concern with cookies, you need state on the server and should choose session.
Related
I'm implementing security for my React SPA using Spring Security on the backend. After a lot of reading, I opted for the following approach :
HTTPS everywhere
POST /login takes credentials returns JWT_TOKEN & XSRF_TOKEN in cookie form. I build the JWT_TOKEN myself whereas Spring Security handles the XSRF_TOKEN. Both cookies are Secured and SameSite=Strict. The JWT token is HttpOnly.
Subsequent API calls require the X-XSRF-TOKEN header. This is read from the aforementionned cookie. Both are sent and Spring Security compares them. JWT is automatically sent and checked in a Filter.
Every time a XSRF token is used, Spring Security generates a new one to prevent session-fixation attacks
XSS protections are applied by Spring Security
So now I'm wondering about refresh tokens. I'm reading a lot of contradictory info out there. Do I need them with this setup? If so how best to handle this ?
Many Thanks
In general, as its name says, the refresh token changes from one token to another. Typically they are used in OAuth protocol-based authentication. They are useful when an access token has expired, but the user's session is still valid.
First, JWTs are a great choice for access tokens. They have claims that match the access tokens requirements, such as: exp, iat, jti, sub, etc. But, when using a cookie-based authentication there is no need for access tokens and possibly no need for JWT.
As you said, your JWT_TOKEN is being set as an HttpOnly cookie, which means that only the server has access to it. JWT is useful for sharing the initial state between the client and server, and vice-versa. If your server is just taking it to look up the database, you don't need a JWT, you are just using a session concept, and keeping session data on a JWT may not be a good practice.
Second, if your authenticated cookie data will live at /login and die at /logout, there is no need for refresh tokens. Refresh tokens are an exchange key for short-life access tokens. Instead, your cookies keep the session live and don't need to be exchanged by something else.
For example, if the user uses the /login route to exchange your username and password for one short life access_token. He may need the refresh_token to get a new access_token without needing to send his username and password again.
If you are using the OAuth protocol or similar, refresh tokens are essential to provide a more seamless experience for your users and avoid the inconvenience of repeatedly having to re-enter their credentials. But even on OAuth, they are not mandatory.
Hello I manage 2 Liberty servers that serve UI and BFF content respectively and I want to secure them both with corporate oidc OP. Having heard about inbound propagation, I was thinking in propagating the access token from UI to BFF.
However I didnt find documentation on how should I configure it to outbound propagate the access token after successful authentication. The documentation only refers to inbound propagation. Only thing I see is a WASOidcClient_*** cookie being set, which I know nothing about it.
I also heard about jwtSso-1.0 feature and tried to create my own JWT with the necessary user information, but can't make this feature get the desired claims from the ID Token (already opened this other question).
So I'm unclear of:
Am I designing this correctly?
How can I get the UI Liberty propagate access token after successful authentication, preferably without coding anything?
Should I propagate access token, or IDToken? BFF needs basic user information that is present in IDToken
What is the WASOidcClient_*** cookie for? Can it be used by different Liberty instances to authenticate requests? Is the name configurable? Im just curious, because this cookie is probably proprietary and not portable, not much desired.
Appreciate it in advance!!
I am using token-based authentication (via dj-rest-auth 1.1.2) on my Django REST-Framework (DRF v. 3.12.1) project. After an initial view-base login, the server issues a token that the client has to include in the HTTP Authentication header with each request.
What I would like to do is to associate the token authentication with a server-side session, similar to what the Django Session Framework provides. That is, I would like to create a cacheable session object that stores information like user roles, which otherwise would need to be retrieved from the DB with each request.
It seams that there is no ready-made solution for this problem, is there? To my understanding, the Django Session Framework only works with session cookies but not with other tokens. On the other hand, token-based authentication does not create a server-side session, it seems.
My questions:
Is this correct, or am I simply missing some configuration or mis-reading the documentation?
If yes, is there something inherently flawed with my intended approach (which would explain why I cannot find a library that already does it)?
Again if yes, what would be the canonical solution handle complex user roles on each request? Just store them in the DB and let proper caching take care of it?
Thanks for your help!
I'm looking into JWT as an alternative to traditional sessions with cookies but I fail to see how they differ fundamentally from signed cookies that for example Express is offering through middleware like cookie-parser.
In both of them, the last part is the signature of the payload which guarantees the payload hasn't been tampered with.
Signed cookie:
user=tobi.CP7AWaXDfAKIRfH49dQzKJx7sKzzSoPq7/AcBBRVwlI3
Equivalent JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiVG9iaSJ9.kCTlR_Igb4H5cqBEDedShM2ivSQijPQkWqN4pZAXb2g
Besides the facts that:
(1) JWT doesn't come with origin restrictions and that
(2) the cookie content is immediately human-readable, whereas the JWT content (header + payload) are base64 encoded
is there anything that gives JWT a clear advantage over signed cookies?
Beware of mixing the concerns: cookies are primarily a mechanism for storing data on the client, they aren't inherently an authentication mechanism - but we use them that way :)
The primary benefit of JWTs are the declared structure (JSON, with common fields) and the declared mechanism for signing them. This is all just specification, there is nothing special about it. But it is nice to have a common way of persisting identity assertions.
You still need to store your JWT in a secure fashion, and cookies with HttpOnly; Secure are the best option. This prevents the cookie from being read by the JavaScript environment, which prevents XSS attacks.
I've written some blog posts about JWTs, they contain more information that will help to answer your question:
Build Secure User Interfaces Using JSON Web Tokens (JWTs)
Token Based Authentication for Single Page Apps (SPAs)
Disclaimer: I do work at Stormpath. We sponsor open-source JWT libraries for Node.js and Java, which can be found here:
https://github.com/jwtk
If you are using AngularJS, we also implement JWT best practices out of the box with our Stormpath Angular SDK
Cookies are typically used to protect web applications. The browser will add them automatically to every request. This makes the requests vulnerable to CSRF attacks.
JWT tokens are typically used to protect Web APIs. The token is attached to the AJAX request in JavaScript. Since the token is not attached to the request automatically, the request is not vulnerable to CSRF attacks. JWT tokens can also be used cross-origin in case the API you're talking to is on another domain.
JWT tokens are also used in native clients to talk to web APIs.
We're currently developing an entirely AJAX based app that will interact with the server via a RESTful API. I've considered potential schemes to protect against XSRF attacks against the API.
User authenticates and receives a
session cookie, which is also
double-submitted with each request.
We implement an OAuth consumer in
Javascript, retrieve a token when
the user logs in, and sign all
requests with that token.
I'm leaning toward the OAuth approach, mainly because I'd like to provide 3rd party access to our API and I'd rather not have to implement two authentication schemes.
Is there any reason why an OAuth consumer would not work in this situation?
Most AJAX libraries will set an additional header "X-Requested-With: XMLHttpRequest", which is difficult to fake in a basic XSRF attack (though possible if combined with XSS). Verifying that this header exists is a good defense-in-depth strategy if you expect all your requests to be AJAX.
Use a two-step request, the first asking for the server an unpredictible token, the second asking for the real action with the token.
As the attacker can't predict the token, and can't read it (same origin policy) he can't give a valid token in the second query.
But be careful to not leak tokens (learn about capturing json using when they affect value to a global variable and so on) and read :
http://www.google.com/search?q=xsrf+defence
The easiest way to prevent XSRF it to check the referer of every RESTful request to make sure the request is coming from the same domain. The session cookie is important for keeping state, but it will not defend against XSRF becuase it will also be sent with a forged request. Its common to see referer based XSRF protection system on embedded network hardware with limited memory requirements, Motorola uses this method on most of their hardware. This isn't the most secure XSRF protection, token based protection is better but both systems can still be bypassed with XSS. The biggest problem with token based XSRF protection is that it takes alot of time to go back and fix every request and you will probably miss a few requests.
Make sure to read up on the same origin policy and to scan your site for xss. You should also read the OWASP Top 10 for 2010 A3-Broken Authentication and Session Management.