Double Submit Cookie Pattern
What is the CSRF attack?
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
What does it mean?
This blog post will discuss Double Submit Cookie Pattern. Double submitting cookies is defined as sending a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value are equal.
How does it work?
When a user logs into the site, a session is created, and the session ID is set as a cookie in the browser. At the same time, another cookie is set for the CSRF token
Next, when the user submits a secure form, this token is extracted from the cookie and is set as a hidden input field in the HTML. This cookie cannot be set as Http Only as the client-side script requires to access this because in this scenario, the token endpoint does not exist, and the server has no record of the generated token for this session.
The server will validate the token sent as a form parameter against the cookie value and authorize the action to be completed. A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy.
I have developed this simple web application using PHP and JavaScript. You can find the source code here
First, you need to login to the application by entering the username and password. For the demo, I have hardcoded the credentials
username:kaviru
password: Kaviru98
How to implement it?
This login form submits user credentials using a POST method. if the user is authenticated successfully, the server-side will creates a unique Session-Id and the CSRF token but the server only stores the Session-Id. Importantly server doesn’t store CSRF token in this scenario.
illustrates the setting of the CSRF cookie to the browser whenever the user is logged in.
After setting CSRF token to a cookie, then when transaction page loads, stored CSRF token will assign to the hidden form field value using below JavaScript (AJAX call(self-call))
illustrate the value after setting the token to the hidden form field.
When the form is submitted with the details back end will receive the request from the client. Then the server will validate the form details and validate CSRF cookie token with retrieved CSRF cookie token from the client
Finally, if the cookie is validated success message will be displayed
I will be discussing the Synchronizer Token pattern CSRF prevention method in the next blog post here
thank you.
