Tuesday, February 18, 2014

Preventing XSRF attacks in Angular with ASP.NET MVC

This is not an easy problem to solve. First, you need to follow this link to implement the overall solution with tokens:

http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks

The problem comes with Angular and an application that supports login/logout. That's because the Angular router only requests the templates/pages once, which means the token is only downloaded once (subsequent requests will come from cache). In our scenario, a user could access the application with different accounts, which meant that while the browser was opened, only one token existed and this was causing errors (because different users must have different tokens, otherwise this is considered an XSRF attack). Long story short, the solution was to request the token after the user signed in by causing a page refresh.

This is probably not the best solution, but the alternative was to request the token from the controllers, which would require significant changes and pollution in your classes.

No comments: