Synchronizer token pattern

February 25, 2019 | Views: 2907

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

In this post let’s discuss about using a synchronizer token pattern to prevent CSRF (CSRF meaning Cross-site request forgery.). Synchronizer token pattern (STP) is a technique where a token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side. 
Then the token is generated by the server with ensuring the uniqueness. In here server generates token per every session. In that case the attacker is unable to place a correct token in their requests to authenticate them.

Why STP?

A third party attacker cannot perform a CSRF attack, because cross domain AJAX calls are not possible. This means, the victim is in, and cannot request the CSRF token from the server via an ajax, because the domain doesn’t match each other, and cross domain ajax calls are not possible as I mentioned before.
Let’s understand Synchronizer token pattern with a flow diagram.
  1.  User sends GET request to a server
  2.  Server sets the cookie with session_id, and saving session data with the token
  3.  Server returns HTML with a form containing token in a hidden field.
  4. User submits form, along with a hidden field.
  5. Server compares token from the submitted form (hidden field) with the token saved in the session storage. If they match, it means that form is submitted by a user.



  • Simple to implement.
  • Works with AJAX.
  • Works with forms.
  • Cookie can actually be HTTP Only.


  • All forms must output the hidden field in HTML.
  • Any AJAX POSTs must also include the value.
  • The page must know in advance that it requires the CSRF token so it can include it in the page content so all pages must contain the token value somewhere, which could make it time consuming to implement for a large site.
Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
1 Comment
  1. would like to know how asynchronus token works?

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?