0

I have a JHipster multi tenant backend with domains like tenant[.env].domain.ltd with csrf enabled. We are making a mobile app with Ionic and this app can store authentications on several tenants. In this mobile app we set <preference name="Hostname" value="domain.ltd" />.

How to deal with the csrf token ?

The backend sends to the mobile app an XSRF-TOKEN cookie for .tenant[.env].domain.ltd that is not accessible on the client side because the domains doesn't match and thus the client cannot set the given token in the request's headers.

Should we disable csrf for the mobile app ? What's the best approach to do so ? On which value should we filter to disable csrf if it's the only solution ?

Gaël Marziou
  • 16,028
  • 4
  • 38
  • 49
jona303
  • 1,358
  • 1
  • 9
  • 27

1 Answers1

0

Ok, I finally managed to get it working. At xsrf token cookie generation I just test if the request is from the mobile app. If so I set the cookie domain to .domain.ltd. The only point I'm not sure about is the way I should determine that it's a mobile request. I actually use the Origin header.

jona303
  • 1,358
  • 1
  • 9
  • 27