Sorry for necroing this. If I got this right, on the first request, when the client requests the static content (of html+js+css) if the user is logged in or not, doesn't matter (although the docs state that We recommend that the token is a digest of your site's authentication cookie with a salt) ok so when a user is logged in, authenticated, a xsrf token is generated and stored in the user's session and also sent to angular in the form of a cookie with the name X-XSRF-TOKEN. and on every non-GET request the cookie is read by the server and validated, if not valid - input is discarded/other steps like tempbanning the ip.
ok how long is the token valid and if you have a token with let's say 24 hour validity how do you distinguish between a valid but expired token that is crafted and a regular expired token what happens when the token expires? if your user's session is using AES-256 encryption to store the userid or session id do you even need a xsrf token? because both are cookies, both are encrypted, both are set when the user is successfully authenticated. On Friday, January 4, 2013 8:33:25 PM UTC+1, Josh David Miller wrote: > > > User first arrives at the website. > > Your server responds with a cookie called `X-XSRF-TOKEN` that it stores > with the user's session. > > On every XHR call, angular will include this cookie automatically in > requests. > > With each non-GET request, the server will verify it is the same one it > created and stored for this user earlier. > > Josh > > > -- > You received this message because you are subscribed to the Google Groups > "AngularJS" group. > To post to this group, send email to [email protected] <javascript:> > . > To unsubscribe from this group, send email to > [email protected] <javascript:>. > Visit this group at http://groups.google.com/group/angular?hl=en-US. > > > > -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
