1

Using Spring Security, my understanding is that you obtain the csrf token on a GET, then include it in the header for any following POST, PUT, DELETE requests. But login is a POST! So how do I get the csrf token inorder to include it in the header for the login request?

I do not want to disable csrf for the login route.

Kyle Laster
  • 331
  • 4
  • 13

2 Answers2

1

You do not need csrf when login. You already authorized by username and password. You can ignore that path in the setting

user3562932
  • 97
  • 4
  • I disagree, multiple threads online share the risks of not protecting login. https://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks#:~:text=Yes.,user%20account%20with%20the%20victim. https://security.stackexchange.com/questions/62769/should-login-and-logout-action-have-csrf-protection – Kyle Laster Jun 16 '20 at 07:55
  • Your csrf token is a token that represent you, but not other. So you have a way to exchange your credentials to get that token. That is the first request to the server with your credentals ( username/password) , here is login form. The only wait to get csrf token is your username and password. If attacker want to csrf token to fool you, he must know your username and password. If attacker know that then he can login by himself. – user3562932 Jun 16 '20 at 08:17
  • I was wrong. You are right. Here is further reading for anyone interested. Basically, if you are using cookies you need csrf protection with an api. If not, you do not need it. (Not including HTTP Basic Authentication). https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints – Kyle Laster Jun 16 '20 at 08:29
  • Glad to see it helped you – user3562932 Jun 16 '20 at 08:31
  • @user3562932 But Sonarqube considered disabling csrf for the login route a vulnerability – Ayoub Anbara Oct 26 '21 at 15:22
0

If you are using springboot , then the csrf token is automatically added to the response by the CsrfRequestDataValueProcessor . Springboot by default does not add the csrf token for GET but for POST it will be added as it modifies the state .To use token for instance with jsp :

<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}"
    method="post">
  <input type="submit"
    value="Log out" />
  <input type="hidden"
    name="${_csrf.parameterName}"
    value="${_csrf.token}"/>
</form>

when the form is loaded springboot will automatically inject the value for the csrf token through the post processor. If you want to use the csrf token in an ajax call then you will have to get the csrf token by inspecting the DOM and add it to your ajax request manually : 

$(function () {
  var token = $("meta[name='_csrf']").attr("content");
  var header = $("meta[name='_csrf_header']").attr("content");
  $(document).ajaxSend(function(e, xhr, options) {
    xhr.setRequestHeader(header, token);
  });
});

Note : Both these examples are from the documentation itself.

Official doc.

Ananthapadmanabhan
  • 5,706
  • 6
  • 22
  • 39
  • I read the docs before posting here. The "_csrf_header" is a variable for "X-CSRF-TOKEN", per the docs. But what is "_csrf" a variable for. I am using an api - not mvc model. So my login is the first time I talk to the server. How will I know the _csrf value? I could hit it once, get a 403, then copy the cookie from the 403 to a subsequent request header. This works. But obviously I dont want two requests every login with the expectation of the first always being a 403. – Kyle Laster Jun 16 '20 at 08:06
  • Yes, if that is the case,like if you do not have a login page being displayed. Then what you could do is remove the login rest url from the csrf protected path. You are already having username and password being send over for validation and the csrf protection is recommended by spring for use in cases where a normal user is going to use the website via a browser. If you are having an rest api then you may opt to not use it as there is probably no danger in doing so. – Ananthapadmanabhan Jun 16 '20 at 08:14
  • @KyleLaster CSRF is for Cross Site Request Forgery prevention right. So if you don't have a browser exposed ui that could be used to redirect a user to a malicious website, I don't see how csrf affects a rest api that you are using for login. – Ananthapadmanabhan Jun 16 '20 at 08:17
  • This link will explain why it could be necessary. If you are using cookies to remember token, you need csrf protection. https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints – Kyle Laster Jun 16 '20 at 08:28
  • @KyleLaster Why are you using cookies with rest endpoints in the first palce ? Rest apis are supposed to be stateless.. Even if you have a cookie to store the csrf token , the rest api's generally have other mechanisms like a bearer token or jwt token which is used for validating the user, hence csrf may not be required . Also the use case provided in your link is not for everyone.It depends entirely on how you architecture your appllication. – Ananthapadmanabhan Jun 16 '20 at 08:58
  • I'm not using cookies. I was answering your question as to why anyone would, and there is a use-case explained in that link. We are miss communicating. My specific usecase (Bearer JWT Token without cookies) was answered by someone else. Thank you for your help. – Kyle Laster Jun 16 '20 at 12:55