rest API create a signed_cookies including my token

[cyril moreau]

Hi,

I am looking for information/help about storing my token in a cookie in a safe way.

Backend : Django rest framework - Frontend Reacjs

I am using django-rest-framework-social-oauth2 to get a token (from different provider). and make request to the API (it works)

But everytime i refresh the page the user get logged out as the reactjs does not keep the token in a cookie and the user has to login again. 

i would like to keep it in a cookie to let the user make requests even if he closes the browser.

I also want to secure it with csrf protection.

I have spent a lot of time looking for a solution and today i have found django.contrib.sessions.backends.signed_cookies or django.contrib.sessions.backends.db

The one that interest me is the django.contrib.sessions.backends.signed_cookies 

1) I would like to know if a middleware exists to generate the signed cookie or if i have to create it?

2) This signed cookie will it be used by the sessionAuthentication backend or should I develop a piece of code that will get the token from the signed cookie -> authenticate the token -> allow the user to execute his request ?

3) where the signed cookie data is stored (database?) and how can i get them?

4) Is it OK to put the token in the cookie?

I would like to implement an API that can authenticate web browser or mobile app

5) I want to be able to use the token to authenticate from the browser to my website (cookie to avoid that the user has to login again and again)

6) I want to use this api for a mobile app as well? so creating a cookie, does it create a conflict during the mobile app authentication?

Thank you for your help!

[Andréas Kühne]

Hi,

I wouldn't use session based backends at all - because then you will need to do session based login instead of using the token. This is not a standard way of doing rest requests at least.

What I would do is just save the token in localstorage on the client. This is the way we do it for handling long based requests. Also then you will need to be able to refresh the token when the token expires (which you should do anyway).

This would solve all of your problems (including mobile app - you just store the token in the app). 

You can see this approach here:

https://medium.com/@rajaraodv/securing-react-redux-apps-with-jwt-tokens-fcfe81356ea0

Check under the header "Storing JWT token". 

It doesn't need to be a JWT token - the principal is that same regardless of how you generate the token.

Regards,

Andréas

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/f8f0f7e7-0556-4277-95ea-347552277ca5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[cyril moreau]

Hi,

I thought also about storing the token in the local storage, but according to my research it is not safe because it is open to xss attack and  the token will be accessible from any browser's tab using javascript.

Is localstorage widely used to store the token even if it is not safe ?

That is why i thought to use cookies and csrf protection for the web-based app.

If you have a safe solution with tokens only, it will take it.

Thank you

Cyril

[Andréas Kühne]

The only way to get the localstorage is if you get malicious code on your own page. The localstorage is specific for your site - it even is different if you have http and https for the same site.

The way it could be exploited would be if you include js on your site (some third party thing) that scrapes the localstorage variables.

Regards,

Andréas

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/2bdb1ed4-a857-4050-9061-56fdd6af6a14%40googlegroups.com.

[cyril moreau]

I have read different posts or article that warn people about storing session data in the local storage. OWASP or http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

That is why i would like to create a session cookie

Local Storage

• Also known as Offline Storage, Web Storage. Underlying storage mechanism may vary from one user agent to the next. In other words, any authentication your application requires can be bypassed by a user with local privileges to the machine on which the data is stored. Therefore, it's recommended not to store any sensitive information in local storage.
• Use the object sessionStorage instead of localStorage if persistent storage is not needed. sessionStorage object is available only to that window/tab until the window is closed.
• A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage.
• A single Cross Site Scripting can be used to load malicious data into these objects too, so don't consider objects in these to be trusted.
• Pay extra attention to “localStorage.getItem” and “setItem” calls implemented in HTML5 page. It helps in detecting when developers build solutions that put sensitive information in local storage, which is a bad practice.
• Do not store session identifiers in local storage as the data is always accesible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.
• There is no way to restrict the visibility of an object to a specific path like with the attribute path of HTTP Cookies, every object is shared within an origin and protected with the Same Origin Policy. Avoid host multiple applications on the same o

Regards,