In this post let’s discuss about using a synchronizer token pattern to prevent CSRF (CSRF meaning Cross-site request forgery.). Synchronizer token pattern (STP) is a technique where a token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side.
Then the token is generated by the server with ensuring the uniqueness. In here server generates token per every session. In that case the attacker is unable to place a correct token in their requests to authenticate them.
A third party attacker cannot perform a CSRF attack, because cross domain AJAX calls are not possible. This means, the victim is in banker.com, and attacker.com cannot request the CSRF token from the server via an ajax, because the domain doesn't match each other, and cross domain ajax calls are not possible as I mentioned before.
Let’s understand Synchronizer token pattern with a flow diagram.
- User sends GET request to a server
- Server sets the cookie with session_id, and saving session data with the token
- Server returns HTML with a form containing token in a hidden field.
- User submits form, along with a hidden field.
- Server compares token from the submitted form (hidden field) with the token saved in the session storage. If they match, it means that form is submitted by a user.
- Simple to implement.
- Works with AJAX.
- Works with forms.
- Cookie can actually be HTTP Only.
- All forms must output the hidden field in HTML.
- Any AJAX POSTs must also include the value.
- The page must know in advance that it requires the CSRF token so it can include it in the page content so all pages must contain the token value somewhere, which could make it time consuming to implement for a large site.