0

Since access token is vulnerable to XSS
and Cookies are vulnerable to CSRF.

is it possible to have a solution of both (Access token and session cookie).

My point is, to generate a random string called X, and store it in access token and session cookie, so when a request to a resource is done, the server side will make sure that the string in cookie and token is the same.

in this case we are eliminating the individual XSS and CSRF attacks.

does this solution more secure than token-based and cookie-based authentication?
and is there any critical vulnerabilities in it?
if there would be any enhancements, please suggest.

Raed Khalaf
  • 1,997
  • 2
  • 13
  • 29

1 Answers1

0

A similar technique called CSRF token already exists, I would look into that

What is a CSRF token ? What is its importance and how does it work?

Also, the best you can do to protect against XSS is to add good XSS protection and the best thing you can do to protect against CSRF is to put good cookie policies in place.

TareqK
  • 1
  • 1