Our application operates in the following manner:
- Each user is required to log in
- The login page sends a request back to the server and returns a Single Page Application (SPA) if the user is authorized
- The SPA is fully AJAX-driven
- Operates over HTTPS
Typically, we would set a sessionid cookie and a csrftoken cookie. The token value of the cookie would be included as an x-header in any AJAX posts, with verification taking place on the server for every request.
Since the SPA page is constructed prior to being sent to the browser, we have flexibility in embedding additional information into it. We want users to be able to log in on multiple tabs without affecting one another.
Here's our preferred method:
- Send the sessionid as a uniquely named cookie, similar to before
- No csrftoken required, but instead embed the unique cookie name within the JavaScript routine that adds the x-header to AJAX post requests
- The server can extract the sessionid from the x-header
This approach allows for multiple logins, where each login has a distinct sessionid cookie name, while maintaining a consistent x-header name for all post requests.
Do you think this method is as secure as the sessionid cookie combined with the csrftoken cookie/x-header approach?