Hey guys.I'd just like to know if this approach to generating CSRF tokens is safe & valid for production.The client logs in. We then see if we have an XSRF-TOKEN cookie set. If the cookie is not set, that means we need to generate a new CSRF token for this session.Generate a new CSRF token for this session, by hitting a "protected" endpoint on the server. This endpoint is protected, because we also pass in the logged in users email & password.On the server, we validate that the email and password is from a legitimate user. If it is, we generate the CSRF token, and set it as a XSRF-TOKEN cookie.I'll be using React on the client side.Is this the right approach, if we wanted to avoid using SSR?
Submitted March 01, 2020 at 11:00PM by benaffleks
No comments:
Post a Comment