I meant how do distinguish between a crafted expired token and a valid expired token? Ok they're both expired so it shouldn't matter since they're invalid but How do you tell ... say a cookie was stolen by someone with access to the victim's (user's) computer and now this session cookie and xsrf cookie are embedded into the malicious guy's browser and the site is accessed. The malicious guy has a valid session and xsrf token.
But ok xsrf serves another purpose. What purpose again? lol With server-side "apps" it's used to check if a form that is generated by the server is authentic. But in Angular? I already have an encrypted session cookie, why do I need a XSRF token? On Sunday, May 18, 2014 2:14:37 PM UTC+2, Darko Luketic wrote: > > > ok how long is the token valid and if you have a token with let's say 24 > hour validity > how do you distinguish between a valid but expired token that is crafted > and a regular expired token > what happens when the token expires? > > > On Friday, January 4, 2013 8:33:25 PM UTC+1, Josh David Miller wrote: >> >> > >> User first arrives at the website. >> > > >> Your server responds with a cookie called `X-XSRF-TOKEN` that it stores >> with the user's session. >> > > >> On every XHR call, angular will include this cookie automatically in >> requests. >> > > >> With each non-GET request, the server will verify it is the same one it >> created and stored for this user earlier. >> >> Josh >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "AngularJS" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> Visit this group at http://groups.google.com/group/angular?hl=en-US. >> >> >> >> -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
