[OPT-2161] Store csrf session token in front-end

Type: Sub-task
Resolution: Won't Do
Priority: L3 - Default
Fix Version/s: 2.5.0-alpha1, 2.5.0
Affects Version/s: None
Component/s: frontend
Labels:
None

AT:

when the user is logged in, the front-end stores the CSRF token (e.g. in local storage)
with every additional request, the CSRF token is send in the request header
there is a notification shown to the user if a request was not successful due to the CSRF token validation

Context:
For the context of the attack, see the parent ticket. The back-end creates a CSRF token when a login request is peformed. The token is then needed for each further request in order to successfully perform it.

This is the controller panel for Smart Panels app

Johannes added a comment - 23/Apr/19 2:13 PM

We decided not do provide a CRSF token during login, since this would not work with SSO (single-sign on). Our approach to mitigate an CRSF attack is to set the same-site cookie flag to strict. Read more in ~~OPT-1929~~ about it.

Johannes added a comment - 23/Apr/19 2:13 PM We decided not do provide a CRSF token during login, since this would not work with SSO (single-sign on). Our approach to mitigate an CRSF attack is to set the same-site cookie flag to strict. Read more in OPT-1929 about it.

Assignee:: Unassigned

Reporter:: Johannes

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 15/Apr/19 9:34 AM

Updated:: 20/Apr/20 5:42 PM

Resolved:: 23/Apr/19 2:13 PM

Camunda Optimize

Details

Description

mgm-controller-panel

This is the controller panel for Smart Panels app

Attachments

Activity

Collapse comment: Johannes added a comment - 23/Apr/19 2:13 PM

Expand comment: Johannes added a comment - 23/Apr/19 2:13 PM

People

Dates

Salesforce