Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an ability to configure if a secure server should supports authentication with a cookie or not #10725

Closed
sleshchenko opened this issue Aug 10, 2018 · 1 comment
Closed

Add an ability to configure if a secure server should supports authentication with a cookie or not #10725

sleshchenko opened this issue Aug 10, 2018 · 1 comment
Assignees
@sleshchenko
Labels
kind/enhancement A feature request - must adhere to the feature request template. status/in-progress This issue has been taken by an engineer and is under active development.

Comments

@sleshchenko
Copy link
Member

sleshchenko commented Aug 10, 2018
edited
Loading

Description

Add an ability to configure if a secure server should supports authentication with a cookie or not.

It is related to Cross-Site Request Forgery(CSRF).
CSRF attack is possible only if:

  • cookie authentication is used;
  • a Server provides API that has modifying methods which can be invoked by submitting a form;

As an example of an application that CAN use cookie authentication without any additional CSRF protection is Theia application. It has one non-modifying endpoint for loading a client and another one is WebSocket endpoint for communication between Client and Server sides. Both of them can't be attacked by CSRF.

As an example of an application that CAN NOT use cookie authentication without additional CSRF protection like using CSRF token is any web application that has methods which accept GET and POST requests with any of form supported content types.

So, to protect secure servers more it is needed to:

  1. Add an ability to configure if a secure server should supports authentication with a cookie or not. It can be done with the corresponding attribute in the server config. If the attribute is absent then it is supposed that authentication with a cookie is forbidden.
  2. Modify JWTProxy to make it possible to configure:
    2.1. Fetch or not token from cookies.
    2.2. Redirect or not a user on loader page that will set cookies or just respond 403 in the case when a token is absent or invalid.
@sleshchenko sleshchenko added kind/enhancement A feature request - must adhere to the feature request template. status/open-for-dev An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it. team/platform labels Aug 10, 2018
@skabashnyuk skabashnyuk mentioned this issue Aug 10, 2018
Closed
18 tasks
@slemeur slemeur mentioned this issue Aug 10, 2018
Closed
20 tasks
@sleshchenko sleshchenko added status/in-progress This issue has been taken by an engineer and is under active development. and removed status/open-for-dev An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it. labels Aug 10, 2018
@sleshchenko sleshchenko self-assigned this Aug 10, 2018
@sleshchenko
Copy link
Member Author

sleshchenko commented Aug 10, 2018
edited
Loading

Update: exec-agent is removed as the example of an application where authentication with cookie must be forbidden because it doesn't have any modifying GET or POST methods which accepts html form supported contents types.

This was referenced Aug 14, 2018
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sleshchenko sleshchenko

Labels
kind/enhancement A feature request - must adhere to the feature request template. status/in-progress This issue has been taken by an engineer and is under active development.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sleshchenko