8

I've been searching the web for an answer but couldn't find a clear one. As I don't really understand CSRF attacks and as state parameter in OAuth 2.0 is made to avoid this kind of attacks I was just wondering if state parameter needed to be generated on client side and place value in localstorage or on backend server and then store it into a session variable that I then return to client side to create my URL. First solution seems the best but is it secure?

Any help is greatly appreciated.

JSmith
  • 4,519
  • 4
  • 29
  • 45

1 Answers1

10

More about state parameter can be found from this answer.

Where to generate the state and where to store will depend on the nature of your application. Regardless from client type, what client must do is to validate state parameter in authorization code response.

For a single page application, which does not contain a backend, state will have to be generate and store in the browser itself. Once response arrives, state value will have to be compared.

For a native application (ex:- Mobile app), state could be stored in application memory. It can be appended in authorization request. When response comes, it can be validated from memory

If application desire, state can be stored in a backend (ex:- server). This can be considered more secure (compared to SPA) given that no one can intercept/obtain the value other than from request itself. Once redirect occur, backend can validate the response parameters. Moreover, it can be used to correlate client session.

Also, stealing state value is only valuable for the party which tries to make a CSRF attack. But be mindful to generate state values that cannot be guessed. Further reading for storage - 3.6. "state" Parameter

Community
  • 1
  • 1
Kavindu Dodanduwa
  • 12,193
  • 3
  • 33
  • 46
  • thank you very much for this anwser I'm using angular so a single page application. Still I have a backend server so could I have a function that grabs the generated state from the backend server (google app engine JAVAEE) before inserting it into the URL the client click and after compare it into server side. Would it be a good practice? Many thanks in advance. – JSmith Dec 12 '18 at 10:01
  • If you check this document - https://tools.ietf.org/html/rfc6819#section-5.3.5 it mention about using hash of session cookie as state. If you do not wish to perform any further validation from the backend, you can simply use such approach. It all depends on your design. – Kavindu Dodanduwa Dec 12 '18 at 11:01
  • 3
    Ok many thanks I will see what is the best not sure to understand everything but I will try figure out (hash of session cookie) also I don't really unerstand what prevents me from backend validation with my system as I told you I needed to finallye compare the value on backend (session variable compared to url parameter). Sorry for my not so well understanding but I'm a website builder newbie. Best – JSmith Dec 12 '18 at 11:07