I'm trying to implement the Double Submit Cookie pattern with extra protection using encrypted or signed CSRF tokens. I'm working with a Single Page Application and a stateless API.
I understand the normal workflow (no HMAC or encryption):
*
The user goes into the page and gets a token (preferably before login to avoid login CSRF). The token is passed to the client as a Http-Only=false cookie. Let's call this "Cookie A".
*
Whenever the client is going to send a request, it attaches the token as a hidden form field or as a HTTP header. The client also sends "Cookie A" to the API with the request.
*
The API validates that the value of "Cookie A" matches the value from the form field or the HTTP header.
Please correct me if these steps are wrong.
In the encrypted or HMAC version of the process, I don't understand how the server sends both the encrypted/hmac AND the plain-text cookie to the client.
* Is the server supposed to send 2 cookies? 1 encrypted/hmac and 1 plain-text?
* Is the encrypted/hmac cookie Http-Only=true?
There's no further information in OWASP about how to implement this. Further guidance is much appreciated.
http://dlvr.it/SjB4dp
G:7-Security (Cyber Security Research and Global Information Security Services)
No comments:
Post a Comment