Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CSRF: Can I use a cookie?

Tags:

Is it ok to put the CSRF token in a cookie? (and in every form, as a hidden input, so I can check if they match, of course) I heard someone say that doing so, beats the whole purpose of the token, though I don't understand why. It seems secure to me.

And if it is secure, is it any less secure than puting the token in the URL's ?

Is there any other method?

Where can I read more on the subject?

UPDATE: So far no one can tell me how is the cookie method insecure, if it still has to match the token from the form, which the attacker shouldn't be able to get, unless he uses another hack like XSS, which is a different matter, and still doesn't make a difference between using cookie and url token.

UPDATE 2: Okay, seems like some famous frameworks use this method, so it should be fine. Thanks

like image 510
HappyDeveloper Avatar asked Dec 16 '10 17:12

HappyDeveloper


People also ask

Is HTTPOnly cookie safe from CSRF?

The answer is no - the HTTPOnly flag will not mitigate any of this.


1 Answers

Using cookies works, and is a common practice (e. g. Django uses it). The attacker cannot read or change the value of the cookie due to the same-origin policy, and thus cannot guess the right GET/POST parameter.

like image 117
Tgr Avatar answered Nov 20 '22 15:11

Tgr