StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POIf I store a static session token in JS for use with AJAX, will it be secure against CSRF?
primarykey
Id
5584029
data
AcceptedAnswerId
5588556
AnswerCount
1
ClosedDate
CommentCount
12
CommunityOwnedDate
CreationDate
2011-04-07T16:00:52.473
FavoriteCount
1
LastActivityDate
2014-07-29T16:10:32.653
LastEditDate
2014-07-29T16:10:32.653
LastEditorUserId
759866
OwnerUserId
697061
ParentId
0
PostTypeId
1
Score
1
ViewCount
2445
LastEditorDisplayName
text
Body
I've been reading about CSRF and XSS vulnerabilities for a few days now, and trying to come up with a solution that's 1) easy to implement and use, 2) uses Javascript to do a lot of heavy lifting, and 3) makes it virtually impossible to perform a CSRF attack against. I haven't seen a solution like the one I'm about to describe. I'm hoping this doesn't mean that it's leaky. I've come up with the following solution, based on my knowledge of AJAX and JS. This code assumes the user has passed through a login screen, and a session variable has been set on the server and in a cookie, with the same values. It's easier to paste the code in and document it, rather than explain what it's doing. This code would be run in the page the user sees immediately after logging in: <pre><code><script> // this is the constructor: function Controller(){ //the following 2 variables are private, and inaccessible via JS calls var secretToken; //this holds the session token, but cannot be read by the browser //returns the session token from the server var x = new ajaxObject('AJAX/retrieve_session_cookie.lasso'); x.callback = function(responseText, responseStatus){ secretToken = responseText; } //this is a private function, again inaccessible via JS calls function getCookie(){ x.update(); } //the following 2 functions are publicly accessible //just a test function to ensure that secretToken is invisible this.tell = function(){ alert(secretToken); } //privileged function that calls a private function, to load the token into a private variable this.initialize = function(){ getCookie(); } } E = new Controller(); E.initialize(); </script> </code></pre> The variable <code>secretToken</code> can't be read by the user, as it's a private member variable of the controller object. In <code>retrieve_session_cookie.lasso</code>, I'm checking for a valid session, and matching the session variable with the browser's cookie. If both these conditions are met, the session variable is returned in plain text, where it's set as <code>secretToken</code> in the object <code>E</code>. By double-checking to see if the cookie matches the session token, I would hope that it would be impossible obtain the session token via CSRF, as it can't forge a cookie. Typing in 'AJAX/retrieve_session_cookie.lasso' would return nothing, unless it was typed in by the user while in a valid session, and from the user's computer only. Also, now that my controller has local access to the session token, I could 'burn in' the session token with every AJAX request, so I don't even have to think about it passing a token anymore, each time an AJAX file is requested. All the AJAX objects and requests would be initialized as private members in the controller object's constructor, so nobody could access / modify the callback functions to disclose the session token. Passing the session token with every AJAX call would protect every other AJAX file, as they would all perform the same check for the cookie matching the session token before returning any data. And, in my programming, there would be one less variable to worry about. If I were to move ahead with a controller implemented this way, would there be ANY way for the token to be accessed / exploited, either by the user or a malicious coder via CSRF?
Tags
<javascript><ajax><security><csrf>
Title
If I store a static session token in JS for use with AJAX, will it be secure against CSRF?
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USBenjamin
UserOwnerUserId
1. USStickByAtlas
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POIf I store a static session token in JS for use with AJAX, will it be secure against CSRF?
 UserUserId
 USStickByAtlas
 VoteTypeVoteTypeId
 VTFavorite
2. VO
 singulars
 PostPostId
 POIf I store a static session token in JS for use with AJAX, will it be secure against CSRF?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.