The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy.
In the case of this mitigation technique the job of the client is very simple, just retrieve the CSRF cookie from the response and add it into a special header to all the requests:
Client workflow
The job of the server is a little more complex, create the CSRF cookie and for each request asking for a protected resource, check that the CSRF cookie and the CSRF header of the request are matching:
Implementation of "Double Submit Cookie" Pattern
Use code in the below link for the implementations.
https://github.com/tharushi-pushpakumara/Cross-site-Request-Forgery-protection-with-Double-Submit-Cookies-Patterns
Index.php file is the initial file. It is a single login page. CSRF token is generate by the following code segment
Once logged in, the user is redirected to an another web page. within that web page the CSRF token is generated.
This one way to be protected from CSRF token. there is an another way called Synchronizer token pattern.