2

We want to add CSRF protection for our AJAX enabled Web services. But some of the Web services have disabled Session state. So how to handle this?

The post Sesionless CSRF protection (double submit cookies) talks about this and it points to use cookies. But as this post Anti-CSRF cookie? points, using cookie may not be a good idea.

Can someone please point to me towards the right way to go here?

Thanks in advance!

Community
  • 1
  • 1
Abhishek Dixit
  • 21
  • 3
  • From what I've read, it's basically not possible to do good CSRF without sessions. I am wondering how I will secure my own AJAX APIs against CSRF considering that APIs don't generally use sessions. – NathanAldenSr Feb 28 '13 at 16:45
  • Thanks for the post! Yes, I also haven't found any good solution when sessions are disabled. But the good thing is that all such methods that have Session disabled do not change any state on server side, so its not a CSRF issue in that case. – Abhishek Dixit Mar 06 '13 at 09:31
  • I ended up working through this after tons of research and experimentation. My JuniorRoute framework implements anti-CSRF protection by generating a "session" cookie (NOT a server-side session) that is persistent only as long as the browser is open. Then, server-side it generates a nonce per request which is then tracked in a database by session token. Each POST must contain a nonce that matches the session cookie. Take a look at the source for inspiration. https://github.com/NathanAlden/JuniorRoute – NathanAldenSr Mar 17 '13 at 01:39

0 Answers0