Dear Pavan Reddy ,
1. the first csrf token for the session is generated after authentication, not for a call without cookie.
2. csrf token is generated for next call, except the first one(authentication), the server will validate current csrf token and the csrf parameter
3. csrf attacker cannot authenticate to the server, csrf attacker cannot read the cookie
ie. the csrf attacker will not be able to send a call with correct csrf token and correct csrf parameter, it's safe for the server to generate next csrf token when current csrf token and the csrf parameter are matched, or when authentication is successful.
Dear PavanReddy ,
I believe this is how double submission works, as the attacker cannot see server response, each time the client call the server, the server should generate a random value/token, and set it as a cookie for client, next time the client send request, it needs to send the random value/token as a parameter, then the server can validate the value of the cookie and the parameter, if they're not matched, the server refuses the request.
For gateway as server, we can use Protect Against CSRF Forgery assertion to validate the cookie and parameter.
I will attach an example, I put the login process and api process together just for convenience, the authentication can be another service endpoint. And the login process is to generate the first token, we don't need to validate it.
To test my example, you login first,
<your service url>?action=login
In response, it will show the last token, just copy it and set it as parameter of next call.
<your service url>?action=callapi&csrftoken=<the last token>
If there is no paramter csrftoken, or the value is not the last one, the Protect Against CSRF Forgery assertion will fail.
Can gateway delete the CSRF validation cookie when the user is logged out.
and how long the cookie would be valid.
from my point of view, it doesn't matter.
but if you want to delete the cookie, you can do it on client side.
if you want to set expired date of the cookie, you can set it on Manage cookie assertion. The cookie should be as long as the session, or at least as long as the fresh token life time.
1)Initially when i get a request from a browser if the cookie is not present,i will be generating a csrf token and giving the user access to the API
2)How can we identify if he is an attacker or not when generating a new token
Retrieving data ...