CSRF _token value refresh in a login form - ajax

I have a login form submitted with Ajax. In one specific case, after the user logs in, I need to log them out with Auth::logout() and display an additional modal box. All of this happens with no page reload.
When the login modal is opened and submitted again, I get a Token mismatch error. The reason why this happens is because the logout uses Session::flush(). After this the _token Session variable is refreshed, while the _token input in the login form stays the same (because of the mentioned lack of page reload).
How can I refresh the CSRF _token in the login form, so it matches the one refreshed in the Session in a secure way?

When your login is submitted via ajax, your server is presumably sending back some kind of response to let the browser know the login was successful. You should send back the new CSRF token with this response, so that you can update the form client-side (with javascript).
To provide any more detail (how to update form fields, for example) we would need to see more of your code.

Related

Golang - Server Side Login Handling - how to resume request after login?

Currently, I’m developing a web app with server-side rendering using the Gin framework and I’m having a problem with login intercepting. When an HTTP GET request hits an endpoint, middleware is used to check the browser cookie and redirect the traffic to the login page. This works fine and after successful login, the user is always redirected to the dashboard page. My question is how I should redirect the user back to the originally requested URI instead of the dashboard page?
Also, a bit more complex scenario is on HTTP POST. It looks like the HTTP POST method doesn’t work quite well with a redirect. Also, how would I resume the request with the same post request after the user successfully login?
Thanks for the help!
For the HTTP GET scenario, this one is easy, you need to remember the original URL somewhere. The are a few ways you could go about this:
Store the URL in session information(if any is available, you do need sessions for non-authenticated users)
Store it in a query string, for example, redirect to example.com/login?original=https%3A%2F%2Fexample.com%2Fanother-page. Your login page can look for the query parameter and include it in the login form or make sure that the action of the login form matches the given URI. On a successful login attempt you can get the original URL form the query param and set it as the Location.
Store the original URL in a cookie, upon successful login you can just check the cookie value and use that.
As for the HTTP POST scenario. If you just want to redirect the same POST request to a different URL you can use a 307 Temporary redirect. A 307 will preserve the request body and method and not turn it into a GET request like a 303 See Other or 302 Found.
Resuming the original POST after showing the login screen and after a successful login is a little more complex. When you redirect to the login page you interrupt the flow of the user, maybe it is better to let the user re-post their request after logging in, instead of doing it for them.
Having said that, it is technically possible. We require two steps, first is storing all the data to recreate the request. Then after login completion we can render a form with this saved data and use javascript to submit the form. By adding:
<script>document.getElementById("myForm").submit();</script>
After your form, the browser will submit the form after loading the javascript, thus recreating the original POST.
The storage part can be done via the server side session or a cookie.

react-redux passport-google react-router: success callback url redirects to '/' and redux state resets as page reloads

I'm building a page, where a user is allowed to fill in a form, but in order to submit it, he has to login. I am only allowing Google Login (passport-google-oauth2). After filling the form, if he has to submit it, and is not logged in, a dialogue box appears, where he is asked to login by Google.
After a successful login, the the google callback route, in I am redirecting him to '/' (homepage)
Callback route code
app.get('/auth/google/redirect',passport.authenticate('google'),
(req,res,next)=>{
res.redirect('/');
});
I am using react router to handle routing on client side
However, when he is redirected to '/' the page refreshes and my redux state resets. (My form data is stored in redux state and it becomes empty again).
Here are my 2 questions.
1) How can I redirect to a page after a successful login without the page refreshing (redux not losing it's state)
2) How can I know from which route I came from and redirect back to the same route? ie: if I called google login from '/form', then I should be redirected to '/form' and so on
Thanks in advancce!

Is it possible to get form data after redirect from login page using spring security?

We have an application where user sends form with id's on button click. If the user clicks on the button after session expires, it will redirect to login page. After login i am able to redirect to the post URL, but the form data id's are not present. Is there any way to do this?

CSRF risk in Ajax

I'm using Symfony2 and protecting my forms with a CSRF token.
I have a comments system based on Ajax calls. If a user wants to edit his comment, here's what's happening:
A user hits the edit button.
A "fresh" comment edit form is loaded via ajax.
The user edit and submit the form via ajax.
The edited comment is sent back in response.
Is loading the "fresh" edit form via ajax a security risk?
If the form were already in the loaded page and couldn't be requested via ajax, an attacker could not guess the CSRF Token, but since he can request the form he can get his hands on the Token..
Couldn't he..?
Maybe an example will make it clearer:
Dave is an innocent registered user in my site (www.acme.com).
Dave logged in my site and then visited www.evil.com. He doesn't know that, but when he visited evil.com a script was executed.
The script sent an ajax request to www.acme.com/comments/123/edit and got the edit form in response.
It then filled in that form with it's malicious content and submitted that form (again, with ajax).
Will evil's evil plan work?
As far as i understand, there is no risk if your form contains CSRF token field. Default Symfony2 CSRF token depends on session which is not availiable for the attacker (and also on intention). So when the attacker requests the form there is attacker's (not user's) session id used.

How we can check the information sent to server in a client request?

What are the information sent to server in a client request?How can we check those information? I mean can we view those information(Is there any way to check)?
The Net panel in Firebug is how i usually check both request and response for debugging.
you can get the value of the submission when you submit a form on a website by writing a script to be called when the form is submitted. For example, you've got a login form. The form consists of login and password fields.
This form makes a POST request to some location, defined in the form's action attribute:
<form action="myScript.php">
then, in your script, you would need to use the request object to retrieve elements from it and those will be the info that your user submitted.

Resources