Datatables Editor: CSRF protection with regenerating CSRF Tokens and HTTP Only cookies possible?

dieterr

We have a security audit for a web application that uses Datatables Editor.

The requirements are:
* provide CSRF protection using tokens as usual
* generate new CSRF Token for every response/request pair
* use HTTP Only cookies

All these are just config settings in the php framework we use (codeigniter).

https://editor.datatables.net/manual/security says to use:

new $.fn.dataTable.Editor( {
    ajax: {
        url: '...',
        data: function ( d ) { d.CSRFToken = TOKEN; }
    }
} );

The "TOKEN" would need to change with every request.
After the page using datatables editor gets loaded there can be any number of editor post requests on the same page. So the TOKEN cannot be "hardcode".
I guess usually I would use javascript to read the csrf cookie and set the TOKEN accordingly? However since for security reasons we are asked to use the HttpOnly flag on cookies we cant read them from javascript.

Is this scenario supported by datatables editor ? Any hints appreciated!

Thanks!

allan

Hi,

The ajax.data option is a function, so it can obtain the token from anywhere. A meta tag is a fairly common place to store it, and you can update it after each Ajax request if you want (although you need to be really careful about this if you have multiple Ajax things going on at the same time since they are by their very nature async).

So the key thing here is how do you get the new tokens - are they in the JSON response? If so use postSubmit to get access to the JSON response and update whatever your token data store is.

Allan

dieterr

Hi Allan,

thanks for your fast reply.

I am now sending the updated csrf token as part of the json response of the datatables and editor ajax calls. I wasn't aware of the editor postSubmit and datatables xhr events to easily intercept the data and read the token.

Thanks again!