Cross Site Request Forgery Protection with Double Submit Cookies Patterns

When a user authenticates to a site, the site should generate a (cryptographically strong) pseudo-random value and set it as a cookie on the user’s machine separate from the session ID. The server does not have to save this value in any way, that's why this pattern is also called Stateless CSRF Defense.

The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy.

In the case of this mitigation technique the job of the client is very simple, just retrieve the CSRF cookie from the response and add it into a special header to all the requests:

Client workflow

The job of the server is a little more complex, create the CSRF cookie and for each request asking for a protected resource, check that the CSRF cookie and the CSRF header of the request are matching:

Implementation of "Double Submit Cookie" Pattern

Use code in the below link for the implementations.

https://github.com/tharushi-pushpakumara/Cross-site-Request-Forgery-protection-with-Double-Submit-Cookies-Patterns

Index.php file is the initial file. It is a single login page. CSRF token is generate by the following code segment

Once logged in, the user is redirected to an another web page. within that web page the CSRF token is generated.



This one way to be protected from CSRF token. there is an another way called Synchronizer token pattern.