Tipos de Arte

En lugar de representar figuras e imágenes e imágenes reconocibles, propone representar través de formas, colores, estructuras, líneas y proporciones. La idea o concepto de lo que representa una obra…

Smartphone

独家优惠奖金 100% 高达 1 BTC + 180 免费旋转




Double Submit Cookies Pattern

In this post we will talk about Double Submit Cookies Pattern and how to use it to prevent Cross-Site Request Forgery. Refer this post, if you want know more about CSRF and Synchronizer Token Pattern.

This technique is stateless and easy to implement. CSRF token is stored in the browser as a cookie. With each request this cookie is sent to the server to validate with the token in the form.

Now, let us see how to implement Double Submit Cookies Pattern using php.

First, we will implement the login page ( index.php ). Upon login, a session identifier is generated and stored in the browser as a cookie.

Expire time of the cookie is set to 1 hour.

When the form is submitted to the server via POST the server authenticate the user using username and password and generates a CSRF token using the session id and a unique random value. This is a hash value. This token is stored in the browser as a cookie.

In this tutorial user credentials are hard-coded ( username: user, password: user ).

After login user is redirected to the website page ( client.php ). In this tutorial sample, status updating page is implemented.

When the client page loads, the CSRF cookie is read by a javascript function and the value of the cookie is inserted into a hidden field in the form.

When the form is submitted to the server via POST, CSRF token cookie will also be sent to the server with the request. Then the server will compare the value of the CSRF cookie received and the CSRF token in the form body. If both values match, the request is valid.

The user can log out from the session by clicking the logout button.

It is recommended to log out always for mitigating CSRF attacks. When logged out the session is destroyed and any cookies, session data related to that session will be invalid thereafter.

Add a comment

Related posts:

When Whiteness Could Be Bought

During the late 18th century, colonial Venezuela had a bizarre legal avenue to free persons of part-African descent of the so-called ‘inferiority’. In exchange for money, of course! Venezuela was…

My Youth Template

If you liked what you just read consider clicking the heart so someone else might bump into it. Follow the author below to see more posts like this one. You can also find Misplaced Identity on…

Cryptocurrencies Find a Niche in Financial Services

As yet another sign that cryptocurrencies are moving more into the financial mainstream, the CFTC just approved NY-based startup LegderX as a derivatives clearing organization, giving it permission…