Quote:
Originally Posted by RustyBrooks
If your API is stateless, which to me implies no "session" cookie or other auto-keep-logged-in mechanism, you aren't at risk of CSRF, because requests made on a users behalf from another site won't have them logged in.
This is not true. Any form taking POST params is open to CSRF. The CSRF token is basically a hidden <input> field. By default, CSRF tokens last for the individual form submission, and has to be reset before a form submit can be handled again.
It doesn't matter if the user is logged in or not. As long as a form can be submitted, the CSRF token is need to prevent CSRF attacks.
Quote:
Suzzer specifically said he had problems getting CSRF to work with a stateless API, so I find that confusing.
If, in effect, he is just trying to handle a POST param, then yes, it's arguably stateless. It sounds like his team is attempting to preserve the CSRF token for the next form submission, which is kind of strange and certainly an open attack vector. I have no clue why anyone would think preserving a token is a good idea, and certainly falls under rolling your own security, very poorly at that.
Last edited by daveT; 07-12-2017 at 11:54 PM.