Details
-
Feature
-
Resolution: Obsolete
-
High
-
None
-
None
-
None
-
None
Description
The "session-cookie plus CSRF-token" thing for API as currently implemented might be overhauled (either replaced or improved) by usage of WSSE:
- WSSE is a standard
- implementing a WSSE authenticator (sf side) is straightforward: it is the default example given in the cookbook!
- the client-side should be simple enough. Ex: http://stackoverflow.com/questions/15779170/how-to-properly-generate-a-wsse-password-digest-in-php, https://github.com/vrruiz/wsse-js
- it is implemented by omniture, typepad, movabletype, fosrestbundle
I am not 100% sure that the 2 technologies cover the exact same aspects.
Probably for best ever protection, they should be combined.
- CSRF is avoided by using the token
- replay attacks are avoided by making clients use a nonce
Some background info: http://stackoverflow.com/questions/5691492/csrf-tokens-vs-nonce-confusion-are-they-the-same
Maybe we could implement WSSE with the following improvement: the "secret" to be used for hashing nonces is the CSRF token.
And voilĂ , 5 stars in API security