XSRF token should be stored in a cookie or in the session?

Question

On a PHP project I'm working on, I'd like to implement an anti XSRF mechanism. I'm generating a random token and I store it in my session $_SESSION['token']. When I submit a form, I include my session token in a hidden field and verify if the transmitted token == stored token.

My question is, What is the security impact if I store this token in a cookie ?

I think both solutions are exploitable in case of XSS for example, and I'm not able to see which storage is the best for the token.

Thanks for you help.

Answer 1

If you follow the normal procedure to generate the token (something like sha1( $username.$private_per_session_passphrase)), I don't think it makes much difference, you can either put your token in a cookie or session var and you should be clear of CSRF vulnerabilities.

The main thing to consider is that the POST cannot be successful until you match the received token with yours (cookie/session). In other words, the page request should not be self-contained.

These may be interesting:

• Is it ok to use the (cryptographically strong) session cookie as CSRF token?
• CSRF token generation
• Why codeigniter2 doesn't store the csrf_hash in a more secure way, such as session?

And this paper describes CSRF + XSS attacks:
https://www.htbridge.com/publications/xss_csrf_practical_exploitation_of_post_authentication_vulnerabilities_in_web_applications.html