Can I rely on the CSRF cookie to check if a user is authenticated on the client-side?

Information Security Asked by turnip on December 15, 2020

I have a website that runs on The website makes AJAX calls to my backend API which sits at

I employ a double-submit verification strategy.

The backend has protected endpoints which check the JWT token with each request. The JWT token is stored in a httpOnly cookie. It also contains the CSRF token.

Alongside the JWT cookie I also send a CSRF cookie which is not httpOnly.
Each request that the client makes must contain the value of this cookie in a special header.

So far so good, but, I want to make sure that the client does everything in its power to prevent users from making pointless unauthenticated requests. So in my React app I have declared a few private routes which check if the user is logged in and if they are not, the user is redirected to the login page.

The way I check if a user is authenticated is by checking if they have the CSRF cookie. If they do, they are allowed to navigate to the protected page. All subsequent requests on this page are still verified on the backend for a JWT and CSRF token.

My question is, is this a valid way to check that the client is authenticated on the client-side?

Additionally, should I be setting the sameSite cookie option to True for both cookies?


One thing I have just thought of is that it is probably better to create a simple endpoint on the backend that is used to check if the user is logged in. So instead of just checking the cookie, the client can submit a request to this endpoint and verify that the token in the cookie is still valid.

2 Answers

Instead of checking if user is eligible to perform a request to some resource (API) I would implement security check on resource side (as possibly you already have). In this case the API is validating all the cookies and if not resource is reacting on not secure request.

This solution architecture is easier to be implemented and to understand. The only check on client side to see if user is authenticated can be useful if you want to somehow adjust UI on this state but for this I would use some different cookie than CSRF cookie.

SameSite cookie setting to "true" is not possible. you can only set "None", "Stric" or "Lax". The setting depends on this, if the cookie will be used on "cross site" use cases.

Answered by Bartosz Rosa on December 15, 2020

This is more a web application architecture question than a security one.

Isn't having a JWT token enough to consider the user logged from the client side perspective?

I assume the user authenticate before getting the token, presumably from the successful login response.

When the token expired return an unauthorized response, look for this response on every ajax response ( and redirect the user to the login page.

Answered by Ron on December 15, 2020

Add your own answers!

Related Questions

Jenkins malicious process identification

2  Asked on October 28, 2021 by nemanja-martinovic


Does encrypted content in a database need to be signed?

1  Asked on October 28, 2021 by ian-warburton


WhatsApp account got “hacked”/hijacked?

1  Asked on October 28, 2021 by d-a-vorm


iCloud deletion

1  Asked on October 28, 2021 by mp115


Difference between Zeek (Bro) and Snort 3

2  Asked on October 28, 2021 by ustavsaat


Help Understanding PHP Reverse Shells

1  Asked on October 28, 2021 by pdawg


Refresh token using a separate auth server?

0  Asked on October 28, 2021


Is the perfect MITM attack possible?

1  Asked on October 28, 2021 by user238715


What attack vectors does arbitrary JS on a user profile allow?

2  Asked on October 28, 2021 by sellarafaeli


Processing Exceptionally High Volume Singular Flows

1  Asked on March 9, 2021 by reedghost


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir