Reputation: 131
Protecting website from CSRF by sending the validatecookie as parameter?
What I've understood, CSRF-Attacks works like this:
- When you check if a user is logged in to your website you check if a validate cookie is set and matched to the database.
- A 3rd part sends the user to a site in your website, for example "changePassword.php"
- The site "changePassword.php" will check if the user is logged in by checking the cookie is matching to the database, if it is set, the page will "change the password".
It is set since you logged in to the website in another tab therefore the password will be changed.
To prevent this websites are using a Token that is generated random by the webpage, and stored as a session, then your webpage sends this token with the request, as a parameter. Since that make the website know the user really visited the website and performed the action.
The question is:
Instead of sending a token as a parameter. Can you just send the logged in cookie as a parameter?
Since cookies are webiste-specific, I can not see a way another page would be able to send this cookie as a parameter to your website.
Upvotes: 1
Views: 69
Answers (2)
Reputation: 33538
Yes you can, assuming "logged in cookie" is a cryptographically secure session identifier.
This method of CSRF defence is known as Double Submit Cookies:
Double submitting cookies is defined as sending a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value are equal.
Normally this value is separate than the session ID, but there is no reason not to use it if your session IDs are static.
In a CSRF attack, the attacker can only submit the victim's cookies to the target site using the victim's browser. There is no way of the attacker actually reading the cookie value, nor a copy of this value set as a POST parameter. So, double submit cookies is a good CSRF defence.
Note that using a GET parameter is not recommended, as this value can be leaked in the referer header.
Upvotes: 2
Reputation: 131
I found out why this wont work, if you send your cookie as a parameter there will always be a way for the attacker to use that (jquery?)function, or similar. Therefore you will always have to get the token from the webpage. You could maybe print the cookie and then get it that way, but it would just be easier to make a session token as an hidden input to the website.
Upvotes: 0
Related Questions
- Secure CSRF protection without sessions or database?
- CSRF only needed for ajax
- CSRF Token validation when processing
- Prevent CSRF Vulnerabilities, Alternative methods to CSRF Token
- Is my CSRF protection method secure?
- protect php script against csrf...without php session (cross site)
- Is this a secure way to prevent Cross-site Request Forgery (CSRF) attacks?
- Protect APIs against CSRF?
- Preventing CSRF with tokens in a AJAX based application
- Protection from csrf