Wednesday, May 9, 2018

Double Submit Cookies

Cross-site Request Forgery protection in web applications via Double Submit Cookies Patterns.


In the previous blog post I have described about Synchronize Token Pattern Approach which can be applied as a prevention method of Cross Site Request Forgery(CSRF). In this blog post I will share some knowledge on another CSRF prevention technique which is Double Submit Cookie Pattern approach.


According to Wikipedia Double Submit Cookie is defined as sending a random number value in both a cookie and as a request parameter, with the server verifying that the cookie value and request value match. 

Sample Demonstration

As  similar as the previous  blog post i just created a simple login form by hard coding the user credentials.


Upon login, I generated a session identifier and set as a cookie in the browser.At the same time generate the CSRF token for the session and set a cookie in the browser.

After a successful login it will redirect you to another page which consists a form to be filled.

When the form is submitted to the action the CSRF token cookie will be submitted and also in the form body the CSRF token value will be submitted.

In the web page that accepts the form submission (the URL of the action), obtain the CSRF token received in the cookie and also in the message body.Compare the two values received and if they match, show success message. If not show error message.


You can find the source code from here.

No comments:

Post a Comment

Get Unlimited Free Trials Using a "Real" Fake Credit Card Number

When I see the words "free trial," I know I'm probably going to have to whip out my credit card and enter in the number to &qu...