vendredi 26 avril 2019

Security risks of disabling session state verification in Laravel Socialite

The Laravel Socialite docs say:

The stateless method may be used to disable session state verification. This is useful when adding social authentication to an API:

return Socialite::driver('google')->stateless()->user();

"Disable session state verification" sounds scary to me. The docs don't elaborate on what the security trade-off is.

In what cases is session state verification important, and why?


Background info and context:

My Socialite flow (using Facebook) is working completely fine when I use stateless().

But if I remove stateless(), only the "normal case" part of my flow works, and the part of the flow that re-requests "email" permissions (if a user omits them at first) does not work and instead results in Laravel\Socialite\Two\InvalidStateException.

Also, I'm not calling $provider->stateless()->user() more than once per request because I know from these docs that it removes a "state" variable from the session and therefore would fail on subsequent calls.

(I use getRedirectLoginHelper()->getReRequestUrl($redirectUrl, ['email']). See FacebookRedirectLoginHelper doc)



via Chebli Mohamed

Aucun commentaire:

Enregistrer un commentaire