-1

I'm developing a web application using symfony and JWT token for authentication. For preventing XSS, JWT token is stored in cookies with HttpOnly attribute. And for preventing CSRF, I used random csrf token. This token are stored in cookie and JWT token (encrypted). What I want to know is, is it necessary to renew csrf token in every response? Whats the best implementation?

Here's my settings in details:

  • We've got a single page app. Most requests will be sent using ajax.
  • The user authenticates using POST.
  • On successful authentication, the server will generate random csrf token then store it in the cookies (HttpOnly) and inside JWT payload. Before it is stored in JWT payload, the csrf token will be encrypted.
  • After JWT token is encoded, it will be stored in cookies (HttpOnly)
  • Evertime user request to access another page, the server will validate the csrf token in cookies dan JWT token when JWT token decoded.
  • LocalStorage is not used because it is accessible through javascript
dewi suci
  • 19
  • 6

1 Answers1

1

Generally there is no need to renew CSRF token at every request.

BUT let's see what happens in your setting:

  • you store your JWT as well as CSRF token in cookie,
  • you visit malicious website that provoques a malicious request with malicious data to your site,
  • your browser attaches a cookie to this request with JWT+CSRF,
  • your security is broken.

So you must not put CSRF token in cookie because it is useless whether you renew it or not.

If you use "single page application" it would be better to pass JWT in Authorization header. That makes CSRF-attack impossible (watch out anohter threats).

If you use "classical web application" it would be better to use "classical" CSRF tokens and "classical" session identifiers.

VladRia
  • 1,475
  • 3
  • 20
  • 32
  • So where should I put my CSRF token? In my application, the CSRF token in the JWT is encrypted. Everytime user send request, server will validate CSRF token in cookie (not encrypted) and CSRF token inside JWT token (encrypted). Is it not enough to prevent CSRF? I implement single page application, there is a reason I don't use Authorization header. Because I don't want to store JWT token in webStorage since it is accessible from javascript. – dewi suci Feb 20 '19 at 00:54
  • You sould pass it with your data in request's content. Just like in classic forms with hidden `_token` field. – VladRia Feb 20 '19 at 10:20
  • I should store csrf token in localStorage for this, right? Is there any other options? – dewi suci Feb 21 '19 at 03:38
  • Sorry If if wasn't clear. I ment that you can stille keep your JWT in cookie. But doing so you need to use CSRF token. You CANNOT store CSRF in cookie and should put in the the request body. – VladRia Feb 21 '19 at 13:54
  • If you chose to use Authorization header to transfer JWT you don't even need CSRF token because you will be already protected from it. – VladRia Feb 21 '19 at 13:55