Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

csrf cookie #7

Closed
crisward opened this issue Mar 23, 2017 · 2 comments · Fixed by #8
Closed

csrf cookie #7

crisward opened this issue Mar 23, 2017 · 2 comments · Fixed by #8
Labels
enhancement

Comments

@crisward
Copy link
Contributor

In single page apps, the page hasn't always been refreshed when a session expires.
On the next xhr request the stored csrf token will be invalid, so will trigger a csrf error. As the user may have unsaved work, refreshing the browser is not ideal.

Th node csrf middleware sets a csrf cookie, which contains the csrf token. This is protected in the same way as the session cookie is, but can be read by js to send back as a header.

This article discusses it - https://www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services

I'll add this feature to my fork and create a pull request. Let me know if this needs adding somewhere else as there was talk of merging this in with kemal session.

Thanks.
@sdogruyol
Copy link
Member

Hey @crisward thank you for the idea. However i'd like to move this into kemal-session as discusess in #1

@crisward
Copy link
Contributor Author

I needed this to fix an issue in my app, so I've raised a pull request. Should be easy enough to include in the port.

@crisward crisward mentioned this issue Mar 23, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

added csrf cookie for SPA's
2 participants
@sdogruyol @crisward