Defense-In-Depth Post-Login CSRF Support #426
Comments
|
Hi @madaster97 - thanks for your recommendations
We're not keen on adding a runtime warning mainly just because we don't want to add a warning for users that don't need to add CSRF protection (because they've added it already for example). Happy to add more docs if you want to suggest a PR.
CSRF protection is a separate concern to login and we encourage you to use one of the available express middleware libraries if you want to implement it |
|
Hey @adamjmcgrath , I'd like to talk about this more:
For a server that is using this SDK as their entire session management system, do you think it makes sense to include a CSRF token in their appSession? I wrote up an example here and documentation here. |
|
Hey @madaster97 - sure, and thanks for sharing your code and docs example. We've considered bundling CSRF middleware along with our session middleware, but decided against it - generally the express solution is to use different middleware for specific jobs, cors, sec headers, csrf, serssion etc, for example the main session library (express-session) wouldn't bundle in csrf Also, if you look at express's solution to csrf https://github.com/expressjs/csurf - you'll see this is a hard thing to guarantee, the "npm module is currently deprecated due to the large influx of security vulunerability reports received, most of which are simply exploiting the underlying limitations of CSRF itself." - informing users they can add state changes to their GETs because we provide CSRF protection would be problematic. We think it's better to set some sensible/secure defaults and leave adding extra security measures to the application |
|
Yeah that makes sense. Thanks for talking it over |
Describe the problem you'd like to have solved
This SDK has one post-login CSRF protection method (
SameSite=Laxcookies discussed here), but would benefit from additional methods.I've been using this SDK for prototyping, and only recently realized I had a post-login CSRF attack. For reasons most servers I work with need
Same=None; Securein their cookies, and so lose the default CSRF protection from this library.Describe the ideal solution
At the very least, I'd like to add a warning when someone sets the
appSessioncookie toSameSite=None, reminding them to also add CSRF protection.Taking that a step further, I'd like this library to offer additional CSRF protections, and potentially enforce them (with an override) when users set
SameSite=None.CSRF Token in AppSession
I've been pouring over the OWASP CSRF Cheat Sheet, and I think a reasonable approach that would be easy for this library would be the Synchronizer Token Pattern, specifically per-session (instead of per-request) tokens.
Implementing this could look like the following:
appSessioncookie. We'd rotate this token every time a new session ID is setcsrfCheck, which would be a function expected to return the CSRF token supplied in the request. The function would have the request headers and body (assumed x-www-form-urlencoded) from the incoming request as inputs, since limiting to these mitigates the risk of insecure requests that can leak the token (via query params).The
csrfCheckcould be used in a few different ways, such as:requiresCsrfToken(similar torequiresAuth) that will check requests for the token, and make sure it matches what's in the sessionAlternatives and current work-arounds
As a workaround, you can use another CSRF library from npm. If you're using SameSite=None, you NEED to remember this!
Additional information, if any
The cheat sheet mentions that custom HTTP request headers are preferred, but notably that only works for AJAX requests:
Side-note, since the csurf library was deprecated last month, I feel like many people are being hung out to dry with regards to CSRF.
Minimal Example
TODO: I have a really complex example here, but need to trim it down
The text was updated successfully, but these errors were encountered: