Using Double Submit Cookies Pattern

If maintaining the state for CSRF token at server side is problematic, an alternative defence is to use the double submit cookie technique. This technique is easy to implement and is stateless. In this technique, we send a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match. When a user visits (even before authenticating to prevent login CSRF), the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session identifier. The site then requires that every transaction request include this pseudorandom value as a hidden form value (or another request parameter/header). If both of them match at the server side, the server accepts it as legitimate request and if they don’t, it would reject the request.

DSCP mechanism 

Client

Server

01. The CSRF token for the session will be generated and set as a cookie in the browser.

index.php

02. Then the two values received will be compared

token.php
('check_token' function)

control.php

Source Code: https://github.com/isurusri/DoubleSubmitCookiesPattern