https://stackoverflow.com/questions/21972133
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQ. Is this a good approach?
The dev guide states:
This stateless XSRF protection implementation relies on the fact that attacker doesn't have access to the session cookie and thus is unable to generate valid XSRF token.
The XSRF token is a simple hash of the JSESSIONID cookie and MD5 is not recommended for password storage any longer (old version of page, current version is here):
As such general hashing algorithms (eg, MD5, SHA-1/256/512) are not recommended for password storage.
However, as an attacker has no method of retrieving the JSESSIONID value, this method is simply another way of executing the OWASP recommended double submit cookies XSRF prevention method and is secure. To answer this question it seems like a good approach to me.
Q. Does it matter if I send the LoggedIn Cookie to the server?
Yes you should send the authentication cookie too so that your API can authorise the user in the normal way too.
Q. Does it increase the vulnerability?
There is no extra risk in sending the cookie with the request as well. It would be a good idea to protect your REST service with HTTPS so all data is encrypted whilst in transit.
