4

I have an angular js web application with play framework as server side. I am using Google plus sign-in button to authenticate users. I need to authenticate all my ajax calls in the server side. After going through documentation that's available on the net, I have couple of options and questions on each.

Hook up point: Javascript Google sign in, on successful sign in, calls back a javascript method. The id_token that's returned along with the callback needs to be verified again through the server side as recommended here. So the above mentioned options can be added at this point on the server side invocation

  1. Use HttpOnly cookie and check it on each ajax call. Can we be assured this will prevent CSRF attacks too ?
  2. Set a XSRF-TOKEN cookie, however it should be set as HttpOnly = false. Only then angularjs will be able to read it and set it as X-XSRF-TOKEN header in all requests originating from it. Is it safe to expose a javascript readable cookie and later rely on it being secure ?
DBS
  • 794
  • 2
  • 9
  • 21
  • After waiting a while, I chose option 2. The reasons: 1. I am not sure if all browsers support http-only cookie 2. Angular's guarantee on X-XSRF-TOKEN header that it can come only from the site's own javascript. – DBS Mar 03 '16 at 12:55
  • How did you get on with this approach? – Drenai Jan 05 '20 at 10:13

0 Answers0