Skip to content

Update: [CSRF] Mention that non-signed Double Submit Cookie tokens can be generated client & server side. #1111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
advename opened this issue Apr 2, 2023 · 2 comments
Open

Update: [CSRF] Mention that non-signed Double Submit Cookie tokens can be generated client & server side. #1111

advename opened this issue Apr 2, 2023 · 2 comments
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.

Comments

@advename
Copy link
Contributor

advename commented Apr 2, 2023

What is missing or needs to be updated?

OWASP Double Submit cookie doesn’t mention whether the token should be generated server or client side. However, it does so for the Synchronizer token pattern.

This has historically created many doubts:

Using non-signed tokens, there's no difference between generating the token server or client side, since both:

  • can generate a cryptographical random value (Client side with the Web Crypto API)
  • set the token in a non-HttpOnly cookie

How should this be resolved?

The Double Submit Cookie section should state more specifically that the token can be generated both server and client side for non-signed tokens, but only server-side for signed token, thus eliminating confusion.
@advename advename added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Apr 2, 2023
@mackowski
Copy link
Collaborator

@advename good issue. Do you want to make a PR for that?

@advename
Copy link
Contributor Author

I can try, but will take some time!

@mackowski mackowski added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. labels Apr 28, 2023
@advename advename mentioned this issue May 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@advename @mackowski and others