Preventing CSRF?

Question

I already seen some question from here (stackoverflow) and THIS post, but I still have some questions...

Using hidden value in the post form and check it when post reach the server.
- The hidden value can easy be copied and send exactly like the real one, "hard to guess" (like md5) will not help. (right?)
Setting a cookie when you reach the form and send the cookie value as a hidden value.
- You can easily change a cookie value or send a custom cookie exactly like the real one using the same real hidden value. (right?)
Using 'timeout', the POST values cannot reach too late.
- So, if you're slow you will fail when you try to set everything up with the hidden value. If you're fast it gonna work. (right?)

I want to be protected about CSRF...but how exactly I do it?

StackOverflow uses markdown - please use that when posting instead of HTML. — Oded, Jan 03 '12 at 18:10
See http://stackoverflow.com/questions/14667189/simple-example-for-why-same-origin-policy-is-needed for a more general question about CSRF. — Ciro Santilli OurBigBook.com, May 04 '15 at 15:45

Matthew · Accepted Answer · 2019-07-11T13:12:34.667

8

The easiest way I found to prevent CSRF issues is:

On the server side, assign an HttpOnly cookie to the client with a random (unguessable) token
Place a hidden field on the form with that cookie value
Upon form submit, ensure the hidden field value equals the cookie value (on the server side of things)

edited Jul 11 '19 at 13:12

answered Jan 03 '12 at 18:08

Matthew

If I send a "custom" cookie (eg: using cURL) and a value exactly as the cookie value (custom cookie got "a" and hidden value got "a" too) it gonna work (I think), send the form values as the real one. – Pedro Gabriel Jan 03 '12 at 18:36
2

That will work, but CSRF isn't to prevent people from submitting forms all together, only to prevent people form posting forms as others (ie someone with a loggin in authorized state). The whole purpose of the random token, is that user B (a hacker) does not know user A's token, and therefor cannot forge a request as them. – Matthew Jan 03 '12 at 18:43

RTSid · Answer 2 · 2017-01-07T21:35:22.250

-1

If you make the following changes then I think you're safe

no data updates should be allowed through GET (or better POST as well) (since both can be used through HTML forms)
disable CORS on your server (or at least on endpoints that are critical and/or make changes to data)
allow JSON-only APIs (ie. only accept input through JSON on critical endpoints at least)

Just to add to above: Do not use method overrides and do not support old browsers.

edited Jan 07 '17 at 21:35

answered Jan 07 '17 at 21:19

RTSid

You just answered a question from 2012 and your answer is not even related to CSRF... – Pedro Gabriel Jan 12 '17 at 20:38
plz read the question "preventing CSRF?" and thats what I answered. – RTSid Jan 25 '17 at 03:00

2 Answers2