Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why CSRF token should be in meta tag and in cookie?

What's the need of to put CSRF token name and value inside <head> tag using <meta> like:

e.g:

<meta content="authenticity_token" name="csrf-param" /> <meta content="4sWPhTlJAmt1IcyNq1FCyivsAVhHqjiDCKRXOgOQock=" name="csrf-token" /> 

I've read about concept to keep CSRF value in cookie but does not find about why to keep inside <head> tag.

like image 258
Vin.AI Avatar asked Jan 31 '14 06:01

Vin.AI


People also ask

What is CSRF token in meta tag?

CSRF tokens normally go in a form as hidden form fields. Putting them in a meta tag only makes sense if you are using JavaScript. JavaScript could read the tokens from the meta tag and post them to an action.

Why is CSRF token required?

A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.

When should CSRF token be generated?

When a CSRF token is generated, it should be stored server-side within the user's session data. When a subsequent request is received that requires validation, the server-side application should verify that the request includes a token which matches the value that was stored in the user's session.

Why we use CSRF token in laravel?

Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the person actually making the requests to the application.


2 Answers

To prevent CSRF you need a value that is submitted with the request that cannot be sent by a malicious site. Authentication cookies are not suitable because if an attacker can make the browser send a request to the victim site, the cookies will automatically be submitted.

For example, by submitting a form via JavaScript contained on www.evil.com to attack the user's session on www.example.com:

<form method="post" action="https://www.example.com/executeAction">     <input type="hidden" name="action" value="deleteAllUsers"> </form>  <script>document.forms[0].submit()</script> 

Storing an anti CRSF token within the page is the OWASP recommended solution for preventing another website from submitting the form, as the random token in the user's session cannot be read by www.evil.com due to the Same Origin Policy preventing JavaScript on www.evil.com reading the page content of www.example.com.

These tokens can be stored anywhere within the page. Most commonly it will be within hidden form fields, but they could also be stored within HTML 5 data- attributes. It seems like using meta tags is simply another way it can be stored where the JavaScript can include it in any form submissions the page makes.

like image 174
SilverlightFox Avatar answered Sep 20 '22 16:09

SilverlightFox


CSRF tokens normally go in a form as hidden form fields. Putting them in a meta tag only makes sense if you are using JavaScript. JavaScript could read the tokens from the meta tag and post them to an action.

You wouldn't want to put a CSRF token in a cookie because the cookie will be sent for every request to the specific website from the web browser regardless of its origin. The only exception would be secure cookies, which are supposed to follow the same-origin policy.

like image 40
Marcus Adams Avatar answered Sep 23 '22 16:09

Marcus Adams