4 months ago

Passport with cookies and CSRF protection.

Posted 4 months ago by jlwalker

I've been searching for days and can't find any information on how to properly use Passport with cookies. Every tutorial stores the access tokens in local storage despite countless articles stating this to be a security issue (XSS).

So after a user logs in, instead of sending the access token back with the response, I set it as a http only cookie. For incoming requests, I wrote custom middleware to check for the cookie and if present, I set the Authorization: Bearer header before the request is handled by the authentication middleware and the rest of the app.

This works perfectly, except that it seems to leave me vulnerable to CSRF attacks (right?). So I added the VerifyCsrfToken middleware to the api group, along with EncryptCookies and StartSession middleware. I defined the cookie session driver in my config. I am now getting a CSRF token mismatch error.

Does anyone know how to do this properly? As I said, I've been reading articles and playing around with different setups for days and can't find any detailed info on how to get it right. Hoping someone can help me out as I'm beginning to feel pretty confused with it all.

Thanks in advance.

Please sign in or create an account to participate in this conversation.