Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie with httponly #637

Open
Dinver opened this issue Mar 2, 2021 · 4 comments
Open

Cookie with httponly #637

Dinver opened this issue Mar 2, 2021 · 4 comments

Comments

@Dinver
Copy link

Dinver commented Mar 2, 2021

Hi, how to implement cookie from httponly? With set httponly, nothing works. Current implementation is susceptible to attacks XSS.
@websanova
Copy link
Owner

Well if you are using cookies then you don't need to pass a token since that's automatic.

So basically, just setup a dummy driver that does nothing.

https://websanova.com/docs/vue-auth/guides/drivers

As for XSS, I guess you mean XSRF?

For that you would pass a the xsrf token instead of an auth token, same idea as all the other drivers, just take a look.

@Dinver
Copy link
Author

Dinver commented Mar 9, 2021
edited
Loading

Well if you are using cookies then you don't need to pass a token since that's automatic.

So basically, just setup a dummy driver that does nothing.

It is working if httponly false. At httponly true, authentication not work.
config = { auth: { request: function (req, token) { }, response: function (res) { } }, http: authAxios, router: router, tokenDefaultKey: 'token', stores: ['cookie'], cookie: { Path: '/', Domain: null, Secure: false, Expires: 1209600, SameSite: 'None' } }

As for XSS, I guess you mean XSRF?

For that you would pass a the xsrf token instead of an auth token, same idea as all the other drivers, just take a look.

I mean that, any may JavaScript have access to token in localstorage or cookie (without httponly).

@kosratdev
Copy link

Is there any update about this issue?

@thebleucheese
Copy link

thebleucheese commented Feb 3, 2023
edited
Loading

In case anyone runs into this...

tl;dr - If you're planning to use HTTPOnly cookies this library is probably overkill. All you likely need is an http interceptor to check for 401's and some router metadata to tag authenticated routes. However, you can probably get HTTPOnly cookies working with this and some caveats if you read on...

There's a processRouteBeforeEach() function that calls var isTokenExpired = _isTokenExpired(); which will always evaluate to true if you set the stores: ['cookie'] since the code can't access the cookie. If you set it to storage you must mangle a dummy value into storage where it's expecting a token or key.

So your dummy driver has to be something like
`export default {

request: function (req, token) {
    console.log("dummy req: ", req)
    console.log("dummy token: ", token)
},

response: function (res) {
    console.log("dummy res: ", res)
    // probably only do this on response from your token URL req only
    return "#DUMMY_VAL"
}

};`

A forewarning: it's probably not appropriate to use the default storage or cookie token store in a production application that has any sensitive data or where users can do sensitive things. The cookie storage mechanism (like all js cookie storage mechanism) is HTTPOnly so both it and local/session storage are vulnerable to XSS attacks. The common ways to prevent token stealing attacks if your application has an XSS vulnerability are HTTPOnly cookies, Web Workers or some form of in-memory tightly scoped storage, none of which are supported here. You can get something secure going by using HTTPOnly cookies and the 'storage' store but I'm not sure why you'd add an additional dependency for that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@websanova @kosratdev @thebleucheese @Dinver