0

I am implementing CSRF protection in my web application.

I have used org.springframework.security.web.csrf.CookieCsrfTokenRepository class to generate the X-XSRF token. This token is being sent as cookie in every request's response.

UI component which is a single page application deployed on different server is read this cookie and read the X-XSRF token from cookie and set it as header in all subsequent requests.

Spring validates the received X-XSRF token and allow/deny the request. This works fine.

But their is a constraint this X-XSRF cookie has to be httpOnly is false so that client side JavaScript can read it.

We cannot read a cookie for which httpOnly is true.

Is there any other alternative to protect web application CSRF in an web application where X-XSRF token cookie httpOnly is true.

Using JavaScript method (document.cookie) I can not read the cookies for which httpOnly attribute is set to true, see:

I can not made the changes to make all the cookies as httpOnly is false in Websphere.

Or am I missing something where client side JavaScript can read the cookie which is httpOnly is true.

dur
  • 15,689
  • 25
  • 79
  • 125
Kundan Saini
  • 87
  • 2
  • 6
  • 15

1 Answers1

3

See Spring Security Reference:

CookieCsrfTokenRepository

There can be cases where users will want to persist the CsrfToken in a cookie. By default the CookieCsrfTokenRepository will write to a cookie named XSRF-TOKEN and read it from a header named X-XSRF-TOKEN or the HTTP parameter _csrf. These defaults come from AngularJS

You can configure CookieCsrfTokenRepository in XML using the following:

<http>
    <!-- ... -->
    <csrf token-repository-ref="tokenRepository"/>
</http>
<b:bean id="tokenRepository"
    class="org.springframework.security.web.csrf.CookieCsrfTokenRepository"
    p:cookieHttpOnly="false"/>

The sample explicitly sets cookieHttpOnly=false. This is necessary to allow JavaScript (i.e. AngularJS) to read it. If you do not need the ability to read the cookie with JavaScript directly, it is recommended to omit cookieHttpOnly=false to improve security.

You can configure CookieCsrfTokenRepository in Java Configuration using:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    }
}

The sample explicitly sets cookieHttpOnly=false. This is necessary to allow JavaScript (i.e. AngularJS) to read it. If you do not need the ability to read the cookie with JavaScript directly, it is recommended to omit cookieHttpOnly=false (by using new CookieCsrfTokenRepository() instead) to improve security.

dur
  • 15,689
  • 25
  • 79
  • 125
  • I agree !! so it looks like if client java script wants to read this XSRF-TOKEN from cookie and send it back to server as part of header X-XSRF-TOKEN for all the subsequent requests in order to validate the request is true and valid, the XSRF-TOKEN cookie httpOnly property has to be false. – Kundan Saini Apr 20 '19 at 15:32