2

I plan to use the same controller for Normal (basic default http request via browser) and API requests with the help of

  1. FOSRest: (which will returns the correct data format based on the request type)
  2. JMSSerializer: to serialize the response data if necessary

Normally, an API request must/should come together with a token to authorize the request. However, when we use the API directly on the website for logged in users, we authorize the users via Session already and thus do not need the API Token to be passed along.

However, the risk of cross site script is still there if we only authorize by Session and not using a CSRF token to recheck (Or may I'm wrong on this?). So if there is that risk, then should/must I also include CSRF in these REST requests?

mr1031011
  • 3,574
  • 5
  • 42
  • 59
  • I have just read this: http://stackoverflow.com/questions/23220655/csrf-validation-needed-or-not-when-using-restful-api Seem like it's not recommended. But does it mean I cannot/shouldnot use REST API in stateful requests? – mr1031011 Sep 25 '14 at 11:40
  • I would suggest using more of a authorization token based scheme instead of a session/cookie based one. Take a look here: http://symfony.com/doc/current/cookbook/security/api_key_authentication.html . And yes, CSRF does not make much sense for REST posting. – Cerad Sep 25 '14 at 11:44
  • So I'm looking at the 2 bundles that may seem to help https://github.com/lexik/LexikJWTAuthenticationBundle and https://github.com/escapestudios/EscapeWSSEAuthenticationBundle. My question is that what are the differences between WSSE and JWT? Which one is recommended in this case? – mr1031011 Sep 25 '14 at 12:54
  • First off, I would avoid trying to have the same controller for both REST and normal requests. It will get confusing. You can extract and share common functionality but focus on each part alone. I would also avoid stateful requests for REST. This question might help a bit: http://stackoverflow.com/questions/26053656/symfony-rest-submit-post-without-form – Cerad Sep 26 '14 at 12:01
  • Right. Thank you all very much. So I will now abandon the idea of using CSRF in REST mode and will look for other options. I looked into WSSE and JWT for authorizing REST requests. I have posted a new question regarding the implementation of OAuth2 for REST in Symfony 2 http://stackoverflow.com/questions/26083755/is-this-the-correct-way-of-using-rest-api-oauth-on-top-of-the-normal-web-page – mr1031011 Sep 28 '14 at 10:03

0 Answers0