Using Synchronize Token



This the concept used to mitigate the CSRF(Cross-site request forgery). Synchronizer token pattern(STP) may be a technique wherever a token, secret and distinctive worth for every request, is embedded by the web application in all HTML forms and verified on the server aspect. Then the token is generated by the server with guaranteeing the uniqueness. In here server generates token per each session. in that case, the attacker is unable to put an accurate token in their requests to authenticate them.

STP mechanism


Advantages:

  • Simple to implement.
  • Works with AJAX.
  • Works with forms.
  • Cookie can be HTTP Only.


Disadvantages: 

  • All forms must output the hidden field in HTML.
  • Any AJAX POSTs must also include the value.
  • The page must know in advance that it requires the CSRF token so it can include it in the page content so all pages must contain the token value somewhere, which could make it time consuming to implement for a large site.
Sample source code:https://github.com/isurusri/SynchronizeTokenPattern

Comments

Popular Posts