发表新帖
发表新帖

React frontend and REST API, CSRF

后端 未结
关注
2 1786
忘掉有多难
忘掉有多难 2021-01-29 22:57

Using React on the frontend with a RESTful API as backend and authorisation by JWT, how do we handle sessions? For example after login, I get a JWT token from REST. If I save it

2条回答
  • 遥遥无期
    遥遥无期 (楼主)
    2021-01-29 23:30

    Your server can set the JWT cookie directly as a response to the login request.

    The server responds to POST /login with Set-Cookie: JWT=xxxxxx. That cookie is http only and therefore not vulnerable to XSS, and will be automatically included on all fetch requests from the client (as long as you use withCredentials: true).

    CSRF is mitigated as you mentioned, see OWASP for details.

    0 讨论(0)
 看不清?
提交回复
热议问题