Auth0 Home Blog Docs

Why use state, or even nonce?


#1

When talking about state, the documentation and the posts in this forum talk about how it is intended to prevent CSRF attacks. How does it do this? If I send a value to Auth0 when a user logs in - as the documentation says to do every time - if the request were being intercepted, the third-party would simply copy the state into their response. So when my SPA compares the response, it’s going to match. So how does this protect against anything?

Actually, I don’t understand how nonce is supposed to protect against replay attack, for the same reason.

I’m obviously misunderstanding something, but, have no idea what. Any help appreciated.


#2

A post was merged into an existing topic: SPA’s don’t do authentication (replay attacks)


#3