Message from JavaScript discussions

January 2018

— So if I receive a csrf I take the token and blacklist it


Yeah, you can detect CSRF attempts sometimes. If your server gets the jwt for example, but not any other tokens like CSRF tokens, then the server can know that something is wrong and blacklist that jwt

— img tag should be injected somehow first, right? to steal cookie

— No

— Attacker will never need to ever see or steal it

— CSRF relies on the fact that the browser auto-sends the cookie, so the attacker must simply direct the browser to make a request to your site

Message permanent page

— Oh yes, forgot

— Https:// very good read for anyone integrating auth systems into their app

Message permanent page

— Even if you don't write any auth code yourself, there are still a lot of places that are easy to accidentally open a hole in the app infrastructure

Message permanent page

— Thanks

— "Prevention measures that do NOT work" is a good section

— (cookie1=expires in 6h)(cookie2=expires in a week)(cookie3=exipires in a month)... so if img got these, attacker get 3 cookies and tries to access site next day, session doesnt work, see

Message permanent page