Double Submit Cookie Pattern

Previously I discussed how a Synchronizer Token Pattern can be used to prevent Cross Site Forgery Attacks. In this blog I will discuss another anti-CSRF method which is the double submit cookie pattern.

Synchronizer Token Pattern Vs Double submit cookies

Just like the synchronizer token pattern this method also uses a CSRF token and a Session ID to validate a session. But in Synchronizer token pattern they are stored in server side storage whereas in double submit cookie pattern they are stored in the browser as browser cookies.

How does it work?

The Double Submit Cookie method works by using 2 parameters. A random value is sent as a cookie and request parameter and the server will check whether the values are equal. This is also known as the Stateless CSRF Defense.

I have demonstrated the above process using a PHP application. The project is available here.

Below is the login form used to authenticate a user. A POST request is sent upon form submit.

The following flow chart demonstrates actions that take place after submitting the login form.

Generation of the session ID is done by the following PHP function.

The following section of code stores the generate session ID and server responded CSRF token as the browser cookies after validating credentials.

We can observed the cookies via the browser after successfully logging in.

Next, the authenticated user is redirected to an update page where he/she can update 2 fields- first name and last name.

The following flow chart demonstrates actions that take place after submitting the update form.

I have implemented an AJAX call to retrieve the stored CSRF value from the browser cookie.

Next the the CSRF token received in the cookie and the message body from previous page will be compared to see if they are the same values.

If the values are the same a success message will be displayed and if not an error will be displayed.

Summary

These 2 flow charts summarize the above processes.

Link to source code.