Hi all!Unless I am mistaken, the `csurf` npm package is basically an implementation of an Encryption Based Token.Which means that the secret used to generate the token should be kept server side.Since one usually generates this token and secret when a session is created, it makes sense to store the secret in the session store, along with other values. So far, so good - I hope.Thing is, I decided to get rid of session stores, due to many considerations, and have decided to use a JWT based session mechanism, persisted in a cookie (Secure,HttpOnly,SameSite + Supported Browser Filtration).This means that the XSRF secret will be stored in the Session JWT token as well, which contradicts the whole purpose of a secret. The question is, does doing so expose an attack vector? (and I mean an actual one, not a wild theoretical scenario).Are there any alternatives to this package which are actively maintained?P.S: my first ever post on reddit, so sorry if I did / said something wrong.Thanks :)
Submitted September 28, 2019 at 06:38AM by eyalperry
No comments:
Post a Comment