Skip to content
This repository has been archived by the owner. It is now read-only.

[Hosted UI] State parameter #147

Open
alshdavid opened this issue Jul 22, 2018 · 2 comments
Open

[Hosted UI] State parameter #147

alshdavid opened this issue Jul 22, 2018 · 2 comments

Comments

@alshdavid
Copy link

alshdavid commented Jul 22, 2018

Hey, not sure where else to talk about the hosted ui.

How to I use the state parameter with the hosted ui?

@kuabhila
Copy link

kuabhila commented Aug 1, 2018

You could use a client-generated value in the state parameter to prevent CSRF attacks. Cognito's login & Authorization endpoints support this parameter. So, include a sufficiently large & random value in the state parameter while entering the URL in your client/browser.

@vpod
Copy link

vpod commented Aug 13, 2018

From what I see the SDK would generate the state automatically, if none is set. However it does not store the generated value and does not validate it upon callback (see getFQDNSignIn()).
Why is that?
I would agree that it is user's responsibility to do, but as the SDK has made the first step to generate a random value, maybe it would be reasonable to use it? At least I see no reason why not to add the storage and validation.

What would the maintainers say?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants