web-security

Drew Verlee 2022-08-05T17:03:08.677779Z

Sente requires a csrf token to create the client connection. Which i assume gets sent back to the server to get verified. However, the examples confuse me because i expect the csrf token to be per user session or per request, and in the example there pulling it from the index.html, which isn't really bound to a specific session or request. And In many setups you have a CDN cache an index.html and send it to multilpe users, usually they prompt the user to login, and then the SPA is loaded.

Drew Verlee 2022-08-05T17:05:37.045089Z

So maybe what's making this hard is that the login depends on the websocket connection.

Drew Verlee 2022-08-05T17:08:27.236389Z

actually i might be falsely assuming a user session "starts" after they login.

Drew Verlee 2022-08-05T17:09:20.874749Z

yea, i guess in this case, were just worried about cross site, not cross user leaks.