I make a call to a server on the /login endpoint, and it returns a session cookie as well as CSRF token in the return values (cannot store this as a cookie as it is not secure). Where can I store the CSRF value on the client so I can use it in my calls to the server? If it is just in the JS memory, I lose it as soon as I leave the page even if my session is still valid, and storing as a cookie is not secure. Or is it not possible to store and I have to hit an endpoint to get one every time I close the page?
Asked
Active
Viewed 619 times
0
Andrew
- 6,295
- 11
- 56
- 95
-
1The common way to do this is for the server to render the token into the page body, e.g. as a hidden field, which will be submitted when the form is submitted. The token is generally not persisted between pages. – John Wu Jun 09 '20 at 18:46
-
@JohnWu I see. If I was doing pure client side rendering how would I approach this? – Andrew Jun 09 '20 at 18:51
-
I suppose you could return the token in the AJAX response (or whatever data retrieval method the page uses) and store it in a Javascript variable. – John Wu Jun 09 '20 at 20:32