...
Info | ||
---|---|---|
| ||
Digizuite is recommended to have CSRF setup in order to <TODO: WRITE MORE TEXTprotect against CSRF (Cross Site Request forgery) attacks. |
Info | ||
---|---|---|
| ||
What is a CSRF attack?The DAM Center's server validates the user making the request by using a session, which is created when the user logs in. A user's session is identified by an ASP.NET session cookie. A malicious website may impersonate the user by making a request to the API. Such a request will also contain the ASP.NET session cookie, which makes the server believe that it's the authenticated user making the request. Without CSRF protection, such a request will succeed. How does CSRF protection work?When the user logs in, the API returns a CSRF cookie and a CSRF token. When subsequent requests are mode, the CSRF token is added to the HTTP request headers. The API will then validate the CSRF cookie and CSRF token. The "protection" works because a malicious website will not have access to the CSRF token, so even if the ASP.NET session cookie is sent, the CSRF validation will fail, and the request will not succeed. |
Digizuite DAM Center
CSRF is configured in the appSettings of the Digizuite DamCenter's web.config file.
The random string used when generating cryptographic CSRFToken, The Install script generates this, if it's not already in the web.config.
Code Block | ||
---|---|---|
| ||
<add key="CSRFTokenPepper" value="random_string_at_least_10_characters_long" /> |
Random Another random string, which is used when generating cryptographic CSRFToken, The Install script generates this, if missingit's not already in the web.config.
Code Block | ||
---|---|---|
| ||
<add key="CSRFTokenPepperCookie" value="another_random_string_at_least_10_characters_long" /> |
random string used when generating cryptographic CSRFToken, Install script generates this, if missing, if these strings are changed existing sessions must re login.If either CSRFTokenPepper or CSRFTokenPepperCookie are altered, then the active sessions are cleared, which means that users are forced to log in again.
If this setting is added to appSettings, CSRF protection will be disabled. It's enabled by default.
Code Block | ||
---|---|---|
| ||
<add key="CSRFDisabled" value="true" /> |
If this setting is added, CSRF protection is disabled, it is enabled by default.
Info | ||
---|---|---|
| ||
Browsers may be forced to re-login, if the browser loses the X-CSRF-Token due to a page refresh. This can be mitigated by checking "Remember login credentials" when logging in. if that is done, the DAM Center will automatically login the user upon a page refresh. |