Thursday, October 4, 2018

Double Submit Cookies Pattern


Securing Your PHP Web Application Using Double Submit Cookies Pattern

 

In the last article, I discussed CSRF attacks and protecting a web application from CSRF attacks using Synchronizer Token Pattern.

 

I use this post to describe Double Submit Cookies Pattern. It is another way of protecting a web application from CSRF Attacks. The Double Submit Cookie Pattern also known as the Stateless CSRF Defense and you can go through this blog and get a clear idea about what is this Double Submit Cookie Pattern and how it works. 

 

Double Submit Cookies against Synchronizer Tokens
Both of these methods use a CSRF token and Session ID to validate a session. As discussed previously Synchronizer Token pattern, the server will store the CSRF tokens against the session IDs. 
In Synchronizer token pattern, both are saved in server-side storage, but in Double Submit Cookies pattern, they are stored in the browser as browser cookies. This is the main difference between these two approaches.In Double Submit Cookie Pattern, the server will not store the tokens, hence called Stateless CSRF Defense.
Double Submit Cookies Pattern - how does it work?
                      
                                                             Image – google.com

Upon login, a session identifier will be generated and set as a cookie in the browser. At the same time, the CSRF token for the session will be generated and set as a cookie in the browser.

                                                    Code to generate the Session ID and the CSRF token
After a successful login, it will redirect you to another page which consists of a user update form.

When the form is submitted to the action the CSRF token cookie will be submitted and also in the form body the CSRF token value will be submitted.
In the web page that accepts the form submission (the URL of the action), the CSRF token received in the cookie and the message body will be obtained. Then the two values received will be compared and if they match, a success message will be shown. If not an error message will be shown.
                                                 
                                               
        Matching the two values

Working Example

To demonstrate how the above theory works in real life, I have implemented a sample web application using PHP with bootstrap front end development.This sample contains a monolithic web application which has a front end with few HTML pages and PHP back end to process the incoming requests. 
The source code is available at GitHub. The same flow is there as the previous application in synchronizer token pattern.
                            
                                                                       Step - 01
                           
                                                                    Step - 02

The CSRF token is set as a cookie and sent unlike in the Synchronizer pattern because this value is not persisted in the server. But cookies cannot be manipulated by any third party. A client-side script will retrieve this value and inject it to a hidden field on the form loading to be submitted along with the form.
                                 
                                                                       Step - 03
                           
                                                                       Step - 04




 


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)