From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mathieu Lirzin Subject: Re: [GSoC] Development of Cuirass. Date: Sun, 12 Mar 2017 19:41:12 +0100 Message-ID: <87bmt6ibhz.fsf@gnu.org> References: <87tw6yim7o.fsf@gnu.org> <814f70f0-569c-51c8-592d-16b1ea4c8e70@pelzflorian.de> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:36652) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cn8Qe-0005g6-Tt for guix-devel@gnu.org; Sun, 12 Mar 2017 14:41:17 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cn8Qd-0003ut-WC for guix-devel@gnu.org; Sun, 12 Mar 2017 14:41:16 -0400 In-Reply-To: <814f70f0-569c-51c8-592d-16b1ea4c8e70@pelzflorian.de> (pelzflorian@pelzflorian.de's message of "Sun, 12 Mar 2017 16:18:34 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: "pelzflorian (Florian Pelz)" Cc: guix-devel@gnu.org Hello Florian, "pelzflorian (Florian Pelz)" writes: > On 03/12/2017 03:49 PM, Mathieu Lirzin wrote: >> Sensitive requests should be done with an >> authentification mechanism which is not determined yet. I currently >> have no experience with any and lack the knowledge to properly choose >> one. > > I=E2=80=99m new to Guix and Scheme and no expert in Web programming, but = in > order to prevent CSRF and in order not to rely on JavaScript, the server > should run with HTTPS (of course) and > =C2=B7 use a secret session token and > =C2=B7 send a customized Web page to the client adapted so that each link= and > form to the server includes the session token as a GET or POST parameter. > > An alternative is Basic Access Authentication with HTTPS or Cookies with > HTTPS but they are vulnerable to CSRF. > > See stackoverflow, for example > > https://stackoverflow.com/questions/21357182/csrf-token-necessary-when-us= ing-stateless-sessionless-authentication Thanks for your input. Have you any experience/advice regarding OAuth or Json Web Token (JWT) ? --=20 Mathieu Lirzin GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37