Good day!

There is a landing page on which there is a login and password entry form, for example, domain.com. And there is a SPA application on app.domain.com, which is redirected after login on the landing page.

How to make authentication via API between domain and subdomain more secretly, so that after a redirect, do not worry about the token?

Option 1. Log in to domain.com and pass the received token as a GET parameter - not very important, because It easily glows in the browser bar, and in principle everywhere in the request.

Option 2. Set cookies token = mytoken in the domain and take them in the subdomain. I doubt a bit that this is also security. Because for any random xss, the token can be stolen (of course, you need to make sure that there is no xss, but still, there is a chance).

Tell me, please, a more reliable way.

Thank!

  • For example, using jwt (a bunch of ready-made implementations). After logging in, the first domain gives the jwt token, the second domain will be able to verify it, not even the name of the access to the first (by signature). All communication for security is done via https. - Vladimir Gamalyan
  • If you do not want to shine the token in the GET, you can put it in the body of the POST request, or in the http header. In jwt implementations, the token is usually passed in the Authorization header. In general, if this is a SPA application, and requests are sent using XMLHttpRequest, then GET parameters are not visible anywhere (unless of course you open the developer console). - Vladimir Gamalyan
  • @Vladimir Gamalian You did not understand me a bit. For example, I login to the landing page, get a token, after which a redirect should occur to the spa page, from where I will work with this token (pass in the Authorization header). The problem is exactly how to transfer this received token when redirecting between landing page and spa - IDD
  • So I understand that from the first domain you are given a page with a form and a script that performs authorization, then you need to go to another page, where is the main SPA application that needs a token? - Vladimir Gamalyan
  • If so, then the first page can, for example through a hidden form, make submit to your second page (with a token in one of the form fields), the server returns the second page to this POST, adding the resulting token to it. - Vladimir Gamalyan

1 answer 1

  1. In case of redirect, we pass the GET token or POST parameter, as it is more convenient.
  2. After the redirect, we save (on the server) the token in the HTTP-only cookie and make another redirect.
  3. With the usual access to the page - we get (on the server) the token from the cookie and put it in the js-variable. To protect against XSS, we make this variable private for the module using closures.

Like this:

var api = function() { var token; return { set_token: function(t) { token = t }, // другие методы api }; }(); // ... api.set_token("тут, собственно, токен");

If the attacker does not have time to change the function api.set_token , then he will not be able to get the token.

But here we must understand that this is in no way a defense against XSS. In general, security tokens and other session cookies are only a sidestream of XSS attacks. Hiding the token from the attacker, we prevent him from using the application in the most comfortable scenario for him - via the UI, but this persistent cracker will not stop this. XSS is XSS, which makes it possible to use everything that is available to a legitimate user, including the API layer, for an attack. And it is impossible to defend against this.

Therefore, it is better to follow the path of preventing XSS:

  • code audit;
  • the use of smart template engines that do not provoke injections;
  • use CSP .
  • @Idd well ... there is HTTP 307 , which requires you to repeat the request (while preserving the verb) to another place. Perhaps this is what you need. - D-side
  • @IDD when you redirect using JS, then there is no problem to do a POST redirect. Just create a form and submit it. - Pavel Mayorov
  • @IDD about the same token in the browser line - the second redirect will hide everything. - Pavel Mayorov
  • @ pavel-mayorov here about POST, really, something I didn’t think there, I need to rest more :) thanks :) - IDD
  • @ D-side, great! Thanks - IDD