Double Submit Cookie Pattern

Double submitting cookies is defined as sending a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value are equal.

When a user authenticates to a site, the site should generate a session identifier and set a cookie in the browser. At the same time, it generates the cryptographically strong random value or the CSRF token for the session and set it as a cookie on the user’s machine separate from the session id. The server does not have to save this value in any way, that’s why this pattern is sometimes also called Stateless CSRF Defense.

The site then requires that every request include this random value as a hidden form value (or another request parameter). A cross-origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy.

In the case of this mitigation technique the job of the client is very simple; just retrieve the CSRF cookie from the response and add it into a special header to all the requests.

Let’s look a sample project,

First, you need to login to the application by entering username and password. For the demo, I have hardcoded the credentials(username: admin, password: nikoniko)

This login form submits user credentials using a POST method. if the user is authenticated successfully, server-side will creates a unique Session-Id and the CSRF token but the server only stores the Session-Id. Importantly server doesn’t store CSRF token in this scenario.

Then the server will response the corresponding CSRF token along with the response body. After that generated session id & server respond CSRF token set as cookies in the browser.

In here we must set the httponly flag “false” because js should able to access the csrf token cookie to add to the hidden field in the post request.

Then after user will redirect to user status update page. In this page, I have implemented an self-call to get the stored CSRF token from the browser cookies.

Then the corresponding CSRF token added to the hidden field.

I have implemented a POST request to update some user status. The post request contains this generated CSRF token and the session cookie.

When the user clicks “updatepost” btn the Post request send. Then the server validates the cookie header for session id and also server compares CSRF token from request body(hidden field value) against CSRF token from the header cookie. If these tokens matched then server accepts the request.

Cookies are sent automatically with every request, regardless of whether the request was initiated by the original site or by a third party site. That’s why a cookie alone does not suffice as every request will contain it.

But by having the token also in the request itself, an attacking site cannot generate valid requests any more as they can’t get hold on the user’s token.

Related posts:

India has more than made an impact on the world, and rightfully so. Our country is indeed abundantly rich with culture, history, talent, personality, and charisma. India has broken multiple world…

I see a solitary bird High up in the sky Black outline and alone Loitering Cutting circle against sky And I yearn for That freedom and solitude While knowing Neither of us is Born for it

Tremendous increase in the application of the robotics intelligence, and consolidating of the daily activities performed by humans with automation and transactions motivated the development of this…