Don't Use Cookie-Based Authentication for Client Web API Calls Without CSRF Protection

For years, ASP.NET developers have used cookie-based authentication sessions (also called Forms authentication) to secure their Web pages. There's nothing wrong with doing that for your server-rendered pages, but as people start moving into developing Single-Page Applications with frameworks such as Angular, they need to realize that leveraging the cookie-based session for the client JavaScript Web API (AJAX) calls opens them up to a Cross-Site-Request-Forgery (CSRF/XSRF) attack.

The full details of how and why take a bit to understand. For a good background article on this, check out this blog post from Microsoft MVP Troy Hunt. The bottom line is you need to not use cookies for authenticating Web API calls and use something like OAuth tokens instead. You could also put additional protection in place for CSRF with separate correlated tokens that prevent code in another browser tab or instance from issuing calls to your Web APIs and hijacking your security session.

Brian Noyes is the CTO of Solliance Inc., a Microsoft regional director, MVP and Pluralsight author.

Posted by Brian Noyes on 05/20/2015