Validating CSRF token on REST API side

Question

0.00/5 (No votes)

See more:

I have REST API written on PHP with authentication based on JWT. Workflow is simple: user sends username and password and gets JWT token back, with what they will be authenticated on all REST requests. Everything is pretty logic and cool, but now I have a problem with storing token client side, after some googling I found what only HTTP Only, Secure cookies are good for this, but they are vulnerable for CSRF attacks, so I am planning to user CSRF token to solve this problem. And here comes the question, how REST can validate CSRF token, if token issued by client? How REST backend understand what this random string is valid for this request and another random string is not? REST is stateless, he doesn't know what kind of token client have issued because REST and client are on separate backend, even on separate servers.

What I have tried:

REST is stateless, he doesn't know what kind of token client have issued because REST and client are on separate backend, even on separate servers.

Posted 27-Apr-18 4:51am

Renuka Garg Phatak

Updated 27-Apr-18 5:27am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2018-04-27T05:28:00

The client does not issue the CSRF token. That would not be secure, and would not provide any protection.

OWASP provides several suggestions for CSRF protection:
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - OWASP[^]

The custom request headers[^] option would probably be the simplest, but pay attention to the comment about using Flash to bypass this.

You'll probably also want to see if you can add the "SameSite" attribute to your authentication cookie:
Preventing CSRF with the same-site cookie attribute[^]
Cross-Site Request Forgery is dead![^]

Currently supported in Chrome, Opera and Android; and Firefox will add support in v60:
Can I use... 'SameSite' cookie attribute[^]