Hi everyone, I wonder if ye guru’s out there might tell me if the following is a secure way of doing things.
Firstly, I am attempting to use Angular.js as a front end
In order to prevent csrf I am using an [size=“2”] idea from Dan Mosher’s Angular Security Video: https://www.youtube…-Id54?start=720[/size]
Basically I am injecting the csrf-token into the page as a meta-tag (using yii’s Yii:app()->request->cjsrf_token), and then sending it along with the login request.
(I got the cjsrf_token, by creating my own CHttpRequest class - from here: http://www.yiiframew…+rf#entry175284)
For reference, I am forcing yii to load first before my angular app loads by telling [size=“2”]my SiteController to use the layout ‘webroot.app.index.php’ (which is my angular app’s index page). Then when SiteController tries to load its site/index, it actually loads my angularApps index instead. I got that idea from: [/size][size=3]https://github.com/wlepinski/angularjs-yii-boilerplate/blob/master/protected/components/Controller.php[/size]
This way, Yii first loads, but then my site controller redirects to the angular app (in webroot/app/index.php)
Now since Yii is loaded, I can access the csrfToken and inject it into the angular apps index page:
[size="2"]
<meta name="csrf-token" ng-init="csrf_token='<?php echo app()->request->csrfToken;?>'">
[/size]
Now that it is loaded into Angular, the login page can send it back to yii for verification.
$scope.user = {
username: "myusername",
password: "mypassword",
YII_CSRF_TOKEN:$scope.csrf_token
};
Yii seems to valid this way… but, my question to you is – is this secure? (providing I am using ssl?)