Authentication without CSRF token
Question
I have a simple web app that does the authentication of a user. It is working under https, as it is simple it requires two fields username , password + csrf token .
Now I have implemented a simple API, that verifies if the user with the given username and password exist. It is called with jquery.post() method, on the same domain, also using https, but I supply only username and password .
Assuming that my API has only one function for the moment "is-registered" do I need to worry about something? Except of course brute-force.
1 answers
solution1
1 ACCPTED 2017-04-12 18:33:50
Assuming that my API has only one function for the moment "is-registered" do I need to worry about something?
"Something" is quite too broad for me to competently answer, but you do not need to worry about CSRF in your case, as long as you keep the request and its result and causes like you described. Let me tell you why.
CSRF attack means that an attacker tricks or forces an user to do an action (send request) which attacker wants with parameters and data an attacker wants, but in the name of the user (with user's valid session and/or other private information of the user).
You do not need CSRF tokens if it may never cause any harm to anyone if the website thinks that the user made the request, although he was just forced to do so. It seems like you case, because it does no harm if an user is forced to ask whether an account with name and password provided by attacker exists.
You just need to be careful not to change causes of such request and its result based on which user sent it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.