You are viewing a single thread.
View all comments
52 points

…so allow…either?

What’s so hard about checking two headers (Authorization: and Cookie:) for the authtoken?

permalink
report
reply
33 points

It’s a security thing. The HttpOnly cookie can’t be stolen using XSS or something like that, while a bearer token must be stored somewhere where javascript can see it.

permalink
report
parent
reply
25 points

Then again, cookie auth is vulnerable to CSRF. Pick your poison.

Although CSRF protection just adds a minor inconvenience, while there is never a guarantee your code is XSS vulnerability free.

permalink
report
parent
reply
9 points

That’s assuming the client wants to make a web app. They may need to connect something else to that API.

It’s perfectly normal to be able to cater to more authentication scenarios than “web app logging in directly to the target API and using its cookies”.

If they want to make a web app they should use the cookie mechanism but ultimately each client app is responsible for how it secures its access.

permalink
report
parent
reply
8 points
*

Okay.

So make your webpage send the authtoken in a cookie and leave off the Authorization header, and have your third party (presumably native) clients send an Authorization header but not any cookies, and write your server software to check for both.

This seems trivial. What am I missing?

permalink
report
parent
reply
-5 points

The point of the cookies being HttpOnly is that it makes them completely inaccessible to client side JavaScript, making a whole load of session hijack/XSS attacks impossible.

The request for a bearer token here circumvents this protection because then there’s a way for a client to avoid cookies all together, making the API vulnerable again.

permalink
report
parent
reply

Programmer Humor

!programmerhumor@lemmy.ml

Create post

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

  • Posts must be relevant to programming, programmers, or computer science.
  • No NSFW content.
  • Jokes must be in good taste. No hate speech, bigotry, etc.

Community stats

  • 3.6K

    Monthly active users

  • 1.5K

    Posts

  • 35K

    Comments