Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleInfo

What is a CSRF attack?

The DAM Center's server validates the user making the request by using a session, which is created when the user logs in.

A user's session is identified by an ASP.NET session cookie. 

A malicious website may impersonate the user by making a request to the API. Such a request will also contain the ASP.NET session cookie, which makes the server believe that it's the authenticated user making the request. 

Without CSRF protection, such a request will succeed.

How does CSRF protection work?

When the user logs in, the API returns a CSRF cookie and a CSRF token.

When subsequent requests are mode, the CSRF token is added to the HTTP (S)'s request 's headers. The API will then validate the CSRF cookie and CSRF token. 

The "protection" works because a malicious website will not have access to the CSRF token, so even if the ASP.NET session cookie is sent, the CSRF validation will fail, and the request will not succeed.

Digizuite DAM Center

CSRF is configured in Digizuite DamCenter int the appSettings of the the  Digizuite DamCenter's web.config file.


The random string used when generating cryptographic CSRFToken, The Install script generates this, if it's not already in the web.config.

...

If either CSRFTokenPepper or CSRFTokenPepperCookie are altered, then the active sessions are cleared, which means that users are forced to log in again.


If this setting is added to appSettings, CSRF protection is will be disabled. It's enabled by default.

...

Info
titleRemark

Browsers may be forced to re-login, if the browser loses the X-CSRF-Token due to a page refresh.

This can be mitigated by checking "Remember login credentials" when logging in. if that is done, the DAM Center will automatically login the user upon a page refresh.