CSRF Token with Cookies

Cross-site Request Forgery protection in web applications via Double Submit Cookies Patterns

In the previous blog post, I have discussed how to achieve CSRF attack protection using synchronized token pattern method. In this post, I am going to discuss how to enable CSRF protection using double-submitted cookie pattern.

What is the double-submitted cookie?

When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user’s machine separate from the session ID. The server does not have to save this value in any way, that's why this pattern is also called Stateless CSRF Defense.

In double-submitted cookie pattern, two cookies (for the session and for the CSRF token) are stored in the browser.
In our previous method, we stored CSRF token values on the server side (text file). But here we don't do it.

Implementation of "Double Submit Cookie" Pattern

• Once this page gets loaded on the web browser user sees a simple login form. Username and password are hard coded in the code.

result.php

As you can see two cookies are stored on the browser. These cookies have 1 year expiration time and they are accessible from anywhere.

Javascript function is written to retrieve the csrf value from the csrf cookie set on the browser. Then DOM will be modified with the value that is retrieved from the csrf cookie.

home.php
 

csrf cookie value and the html hidden field csrf value are sent to the checkToken function as parameters.

token.php

This function returns true if the csrf token values get matched.


This is the second way of protecting your website from csrf attacks with the help of double submitted cookie pattern.

You can download this implementation from my git gub account

https://github.com/pamoda-perera/csrf-token-with-cookies