Session Fixation Attacks and Login CSRF

[Ezequiel-Valencia]

Problem

Our login does not implement CSRF, since the user is not authenticated yet. This can be a problem, but the attack method is complex enough that bad actors will have to be highly educated, and realistically the site won't garner enough attention immediately to implement this. In the future it could require it though.

The two routes that should be protected with CSRF, but aren't are /register and /login. The way to potentially protect it would be pre-session tokens. This would also mitigate against session fixation attacks.

Login CSRF Attack | Stack Overflow

[Ezequiel-Valencia]

Potential method to mitigate this attack is to have an endpoint which allows for the front-end to pull Nonce's specific for login. Only the front-end with a shared secret with the back-end can pull from this endpoint. Once the Nonce is used for sign-up then it is removed. The Nonce being a randomly generated string of such length that guessing it with a replay is improbable.