Is it secure to use session ID as authentication token received from an HTTP header?
I am writing a mobile application for an already existing web app. In the backend, I implemented the usual cookie-based session ID authentication. with a CSRF token generated on login and sent with each request in a custom header.
the problem is that I want to use the same backend for both the mobile app and the web app.
using an HTTP-Only cookie is good against XSS attacks. but it makes it hard to use with a mobile application. And while researching I found that I shouldn't rely on http-only to protect against XSS and rather rely on the front-end code not to allow JS Injections.
What I have tried is:
- On login. send the session ID in both a cookie AND in the body.
- the web app uses the cookie with CSRF to authenticate
- the mobile app uses the session id provided on login to authenticate. like a usual bearer token. send in a custom header.
Is this secure? are there any security risks to this method?
Note: the CSRF token will only be sent by the web app since it is the only vulnerable environment. the backend checks whether the session ID was sent in a header. If so. no CSRF is required, since headers are not set automatically by the browser.
