Add an ability to configure if a secure server should supports authentication with a cookie or not #10725
Labels
kind/enhancement
A feature request - must adhere to the feature request template.
status/in-progress
This issue has been taken by an engineer and is under active development.
Description
Add an ability to configure if a secure server should supports authentication with a cookie or not.
It is related to Cross-Site Request Forgery(CSRF).
CSRF attack is possible only if:
As an example of an application that CAN use cookie authentication without any additional CSRF protection is Theia application. It has one non-modifying endpoint for loading a client and another one is WebSocket endpoint for communication between Client and Server sides. Both of them can't be attacked by CSRF.
As an example of an application that CAN NOT use cookie authentication without additional CSRF protection like using CSRF token is any web application that has methods which accept GET and POST requests with any of form supported content types.
So, to protect secure servers more it is needed to:
2.1. Fetch or not token from cookies.
2.2. Redirect or not a user on
loader
page that will set cookies or just respond 403 in the case when a token is absent or invalid.The text was updated successfully, but these errors were encountered: