pac4j CsrfToken set as cookie
377 views
Skip to first unread message
Gunnar Adams
Sep 12, 2022, 6:00:31 AM9/12/22
to Pac4j users mailing list
Hi,
I have a question which is prompted by a pentest finding against our application which uses pac4j for authentication purposes.
The comment from the company executing the penetration test was
"The CSRF Token intended to protect the client’s browser from a CSRF attack, but the
browser send the cookies with any request to the server so the token is not effective."
Their recommendation is
"
Configure the CSRF Token to be sent in the security headers and not in the cookies."
It seems that setting a csrf token in a cookie is contrary to OWASP recommendations.
<QUOTE>
CSRF tokens should not be transmitted using cookies.
<UNQUOTE>
In our case (our's is a single-page application based on the Eclipse RAP framework) where we use the Indirect pac4j clients (e.g. Oidc or SAML2) only to control access to the application, the csrf cookie may not even be relevant, but as my knowledge of the actual purpose of the CsrfToken cookie is rather limited, I would like your view on this.
I understand that it is probably easiest to set the token as a cookie, because it is automatic and transparent to any application and does not require changes in the application itself.
Why does pac4j set the csrf token in a cookie and what security benefit does it have?
I Appreciate your comments very.
Best regards
Gunnar
Jérôme LELEU
Sep 12, 2022, 8:48:12 AM9/12/22
to Gunnar Adams, Pac4j users mailing list
Hi,
The CSRF token is available as a cookie for Javascript applications.
It is generated by the csrfToken matcher which is automatically added if you have a web session or if you have defined an indirect client.
In your case, you can set:
config.addMatcher(DefaultMatchers.CSRF_TOKEN, new Matcher() {
@Override
public boolean matches(WebContext context, SessionStore sessionStore) {
return true;
}
});
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/4162f5cc-c377-42a2-85dd-a26e037fc4den%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages