Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jason web token storage #55

Closed
benjaminlees opened this issue Jun 27, 2015 · 19 comments
Closed

jason web token storage #55

benjaminlees opened this issue Jun 27, 2015 · 19 comments
Labels

Comments

@benjaminlees
Copy link
Member

from looking at this module it looks like you store the jwt in web storage rather than in a cookie.but doesn't this open you up to xss attacks?

@nelsonic
Copy link
Member

How so @benjaminlees ?
(Genuinely, please help us understand how ...)

@benjaminlees
Copy link
Member Author

As web storage is accessible by javascript on the same domain making it vulnerable to cross site scripting.

@nelsonic
Copy link
Member

Any more so than cookies...?

@eventhough
Copy link
Contributor

@benjaminlees Check out this blog post from Auth0 regarding XSS vs CSRF:

https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/#xss-xsrf

@benjaminlees
Copy link
Member Author

@eventhough thank you very much. But this article also states that through using the the HttpOnly cookie flag the cookies are not accessible through javascript and are there for immune to xxs unlike web storage.

@benjaminlees
Copy link
Member Author

@eventhough I guess that the article also states that xsrf is a harder attack to protect against then xxs, which is a very good point and one that i had not truly understood.

@eventhough
Copy link
Contributor

There are tradeoffs to everything in life. We make decisions based on what
we know at that moment and figure out how to make those choices work down
the line.

On Sunday, June 28, 2015, benjamin Lees [email protected] wrote:

@eventhough https://github.com/eventhough I guess that the article also
states that xsrf is a harder attack to protect against then xxs, which is a
very good point and one that i had not truly understood.


Reply to this email directly or view it on GitHub
#55 (comment).

@nelsonic
Copy link
Member

@benjaminlees not all browsers support HttpOnly cookie
see: http://resources.infosecinstitute.com/cookies-httponly-flag-problem-browsers/

But we are considering add support for it: #56

Want to Pair on a Pull Request tomorrow? 😉

@benjaminlees
Copy link
Member Author

@nelsonic definitely that would be awsome!

@nelsonic
Copy link
Member

@benjaminlees is the code where you used cookies in hapi somewhere on GitHub?

@eventhough
Copy link
Contributor

@nelsonic Just updated to version 4.7.0 and I get a weird error in IE9: Invalid cookie value

Does IE9 do something differently when it sends cookies over? Is there a flag or something I can set to turn off cookie auth?

@nelsonic
Copy link
Member

@eventhough oh! where are you seeing that error? (in the browser or in a response from the server?)
Can you upload a _screenshot_ of the error? (preferably as a new issue)

Does your app already use cookies for something other than authentication? (or are you using the hapi-auth-cookie plugin in your app?)

If its a show-stopper issue, simply downgrade to the previous version of the hapi-auth-jwt2 package by specifying v.4.6.0 in your package.json till we are able to identify precisely what the issue is.

Thanks very much for reporting this.

@eventhough
Copy link
Contributor

@nelsonic sorry spoke way too soon. I think it has something to do with hapi, not with hapi-auth-jwt2. Have you ever seen this problem before?

hapijs/hapi#2588

I don't use cookies in my project but for some reason hapi does not like whatever IE9 is sending....

@eventhough
Copy link
Contributor

@nelsonic All is well. Not sure what IE9 is doing but if you aren't using cookies, make sure you set the route config for state.parse = false;

hapijs/hapi#2513

@nelsonic
Copy link
Member

Oh wow! { and " really shouldn't cause issues in cookies.
The cookie spec states that any any [USASCII] character is valid: http://tools.ietf.org/html/rfc6265#section-2.2 so its definitely an IE9 issue not Hapi.js as concluded by Eran Hammer in hapijs/hapi#2588
Thankfully using cookies in hapi-auth-jwt2 will be in the format:

headers: { 
cookie: 'token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MTIzLCJuYW1lIjoiQ2hhcmxpZSIsImlhdCI6MTQzNzUxNTE5OH0.xFWe9ccAHqq1bWQ3FvY_plDcY4ClHhm173fxUVHapAE' 
}

So I don't expect to ever see this IE9 issue ...

@nelsonic
Copy link
Member

@eventhough thanks for the heads up!
Did you see the IE9 issue with the previous version of hapi-auth-jwt2 ?

@eventhough
Copy link
Contributor

@nelsonic I saw the same error in 4.6.x so I knew it wasn't hapi-auth-jwt2. A little more sleuthing revealed that IE9 is the culprit. I'm not really using cookies for my app right now so I turned off parsing.

@nelsonic
Copy link
Member

@eventhough thanks for confirming that.
@benjaminlees can we safely close this issue now? 👍

@nelsonic
Copy link
Member

Closing. this was resolved a 3 releases ago. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants