2

As far as I could see Magento 2 REST API uses PHP session ID for authentication during XHR requests on cart and checkout pages, and there appears to be no additional CSRF token or something similar to the form_key used in forms.

Well, there is form_key passed as a cookie, but it seems to be ignored by the application and only PHPSESSID is important.

This means, that it is possible to change customer's cart data only having their PHP session ID and theoretically to fake a request.

Is there any other anti-CSRF-protection mechanism I'm missing? If not, can I be sure that this part of Magento (session authentication based REST API on checkout and cart pages) is CSRF-secure?

Thanks for anything that would help me better understand the protection mechanism of Magento API.

System: Magento 2.2.x

Improve this question

1 Answer 1

Reset to default
1

After some deeper researching I found out that Magento 2 REST API that is used on checkout page appears to be CSRF-proof and does not need an additional anti-CSRF token.

The reason is that PHP session ID (PHPSESSID) is regenerated for each checkout page and is therefore unique, so no form_key is needed.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.