admin管理员组文章数量:1410717
I have my logins and logout working....what I don't understand is how having the CSRF in the cookie being "secure".... I guess I'm mising the punchline as how this is secure as both are in cookies and available to an attacker if they do a "post" to my endpoint from their website...
When they put up a malicious website with a "form" on it..it has access to all the cookies when that form posts...
sorry just new to this and not understanding it....I rather understand why instead of writing code and saying "well this looks good"
@app.route("/login", methods=["POST"])
def login():
username = request.form.get("username", None)
password = request.form.get("password", None)
response = jsonify({"msg": "login successful"})
access_token = create_access_token(identity="example_user")
set_access_cookies(response, access_token)
return response
@app.route("/logoutpage", methods=["GET"])
@jwt_required()
def logout_page():
logout = """
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>LOGOUT</title>
</head>
<body>
<h1>LOGOUT</h1>
<form action="/logout" method="post">
<input type="hidden" name="csrf_token" value="{{csrfval}}">
<input type="submit" value="Logout">
</form>
</body>
</html>
"""
return render_template_string(logout, csrfval=request.cookies.get("csrf_access_token"))
I have my logins and logout working....what I don't understand is how having the CSRF in the cookie being "secure".... I guess I'm mising the punchline as how this is secure as both are in cookies and available to an attacker if they do a "post" to my endpoint from their website...
When they put up a malicious website with a "form" on it..it has access to all the cookies when that form posts...
sorry just new to this and not understanding it....I rather understand why instead of writing code and saying "well this looks good"
@app.route("/login", methods=["POST"])
def login():
username = request.form.get("username", None)
password = request.form.get("password", None)
response = jsonify({"msg": "login successful"})
access_token = create_access_token(identity="example_user")
set_access_cookies(response, access_token)
return response
@app.route("/logoutpage", methods=["GET"])
@jwt_required()
def logout_page():
logout = """
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>LOGOUT</title>
</head>
<body>
<h1>LOGOUT</h1>
<form action="/logout" method="post">
<input type="hidden" name="csrf_token" value="{{csrfval}}">
<input type="submit" value="Logout">
</form>
</body>
</html>
"""
return render_template_string(logout, csrfval=request.cookies.get("csrf_access_token"))
1 Answer
Reset to default 0You're correct in saying that when the malicious website B makes a post request to website A, the browser automatically includes all the cookies for website A.
However the real prevention comes from including the csrf token in the request headers or the body. website B can not possibly see the token due to the same-origin policy, it can only trigger a submission for it.
The deal breaker for the malicious website B is that, it can't include the correct csrf token in the request header/body without seeing it.
As to your question of why is it considered secure in Flask-JWT-Extended. It's considered secure because the library is using double submit token method, which basically means it's checking the csrf token both in cookies and in the request header/body.
JWT_ACCESS_CSRF_COOKIE_NAME
The name of the cookie that contains the CSRF double submit token. Only applicable if
JWT_CSRF_IN_COOKIESisTrue
More details can be found here: https://flask-jwt-extended.readthedocs.io/en/stable/token_locations.html#cookies
本文标签: What is having the csrfaccesstoken in Flask JWT Extended in a cookie considered secureStack Overflow
版权声明:本文标题:What is having the csrf_access_token in Flask JWT Extended in a cookie considered secure? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744825674a2627046.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论