2

I'm building a mobile app using AngularJS as frontend, and SlimPHP as API provider that connects to Mysql. Frontend and backend are on separate domains.

  • So an user posts the login form from Angular
  • PHP catches it and authenticates the user and then generates a random token
  • This token is then stored in database(user table) and passed back to Angular in Json format
  • Angular stores the token in cookie.

So on every $http call from Angular to API, I want to embed the token in the header so PHP can verify again the DB user table if the call is legit.

I'm wondering if this a secure solution?

William Robert
  • 63
  • 1
  • 5
  • This question is a bit opinionated and not really a good fit for StackOverflow, however, here is my opinion: I would not store the CSRF token in cookies on the client side or the database on the server side. The best forms of CSRF protection are those where the server can issue a unique CSRF code for each request that will be performed by the client. CSRF tokens are often limited to only form submissions and it can be quite simple to get the server to issue a unique CSRF code for a particular form. – Scopey Apr 07 '15 at 04:08
  • 1
    angular has a built in token system header already within `$http` api. read the docs – charlietfl Apr 07 '15 at 04:32
  • Thanks for the reply. If CSRF is not suitable here, what would you recommend for API call verification? Or do you mind pointing me to the right direction? From my understanding, if I save the server generated token in a cookie on the client side, someone could be able to have access the cookie and pretending to be the user to submit request? – William Robert Apr 07 '15 at 04:34
  • 1
    Maybe useful?: [Authorization and Authentication to REST API from JavaScript Client](http://stackoverflow.com/questions/14262271/authorization-and-authentication-to-rest-api-from-javascript-client) – Ryan Vincent Apr 07 '15 at 05:48

1 Answers1

0

You need to look into JWT (json web tokens)

Coldstar
  • 1,324
  • 1
  • 12
  • 32