Since the last version (5.2), cookies are disabled in Lumen. I'm currently making an API in Lumen with JWT authentication.
To secure my application from CSRF attacks I need to set a csrf cookie. But what is the best way to handle that now?
VerifyCsrfToken Middleware was removed in this commit.
From Lumen 5.2 documentation:
Lumen 5.2 represents a more decided shift towards focusing on stateless APIs.
So, if you need Csrf Token verification, you have to implement it storing it in a meta tag or inside a JWT payload as a private claim (you will need to implement the new claim, i.e.: here).
If it was removed, there's probably a good reason. Here I let some links that maybe can help you move on.
CSRF Token necessary when using Stateless(= Sessionless) Authentication?
Where to store JWT in browser? How to protect against CSRF?
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage#post-2748616172
Related
I am working on a react native application for a website which is made in Laravel so all of its APIs are based on Laravel.
I am facing a problem of CSRF token when making POST request to the Laravel Backend. Every Time I am getting a response of Page is Expired.
I have done some research on the issue and found that CSRF tokens are generated by Laravel by default for security purposes. My question is how can I connect to Laravel API.
One solution which was suggested is to use JWT tokens but that's really not a feasible solution for me and I am not sure how to implement JWT Authentication in Laravel.
Another Solution which I have read is that whenever we visit a page made using Laravel then in window object window.csrfToken can be accessed which is the token I need for making the API calls. Is it true? and if it is then how can I get that in React Native Application (should I make a GET request for the website and try to get the token from there is it possible?)
One more solution I think is that we can bypass some routes in Laravel Middleware so that token is not checked.
I need some suggestions on the issue. Also need to know that above solutions are correct or not and which one should I use.
Thanks
Am trying to build secure login for my small app so i decided to use JWT approach by using JWT firebase library for lumen,
i discover i cant revoke my token except some dynamic data like session. And Lumen has stop shipping with session package since lumen 5.2,
i know there might be a reason why they stop supporting session .
And i have Tymon JWT package but it does not work well with lumen 5.6.
That why i use Firebase JWT-PHP as alternative
I will like to know alternative for session with strong example or any idea of best JWT login with revoke of token on logout
If you want to use sessions, the method in this comment seemed to do the trick, though I haven't torture-tested it all that much (I just discovered it a couple days ago myself), so YMMV:
https://stackoverflow.com/a/47055083/1246105
In short, you can just ala-carte install the session-handling from Laravel.
I know that laravel-passport use JWT but it checks database per access-token request to check that this token is revoked or not. this break the meaning of JWT which is self-signing without database check. also, this made my RESTfull API stateful and my JWT is a sessionId and not truly an access token.
This checking made my authentication requests slower and is a bottleneck when my API is under pressure.
now I want to know is there any solution to disable revoke checking in laravel-passport? or a better solution such as storing data in cacheDB such as Redis? and if there is no solution in laravel-passport is there any other package to solve my problem?
I'm currently using Laravel 5.6 with the Laravel JWT library for a new web app.
I would like to store the JWT in a cookie without using a conventional session but there doesn't seem to be an easy way of going about this with the JWT library.
In my Auth controller I return the token in a cookie, but Laravel still starts a session which I don't want since I want the session inferred from the cookie.
I also went into Kernel.php and removed some of the Session stuff from the web middleware group but then that caused a runtime exception saying "Session store not set on request."
I've seen some hacked together solutions that were half implemented, but I would like hear some insight from anyone that has done this elegantly or felt like their solution was correct.
Thanks
For my purpose I determined that using encrypted cookies will suffice for the web application (using Redis as a cache), and then using JWTs for the mobile API.
I am developing mobile application back-end service using laravel 5.3. I am following REST API. Application having payment gateway integration and it needs more security.
I followed jwt auth by using the tymon/jwt-auth library for laravel.
I have few concern, my token getting expired after 1 hour, after that server returning token expired error and how application developer can handle this situation? Asking user to log in, again and again, is not possible.
How can app developer handle it?
What is the best and more secure approach?
in config/jwt.php change 'ttl' => 60 to whatever number you need, the numbers represent the minutes a token can live, but the best approach is to use the RefreshToken, since your app will be more secure from unwanted users.