how to generate and validate csrf tokens

About

Asked 12/5, 2011 at 11:58 Answered 12/5, 2011 at 12:3

what is the best way to generate a csrf token and verify. From what i have been able to gather, even if you have a hidden form field in a "post" form a hacker can simply get that form using ajax, take the csrf token and send another request to the site to submit the form.

And if we are to check the headers sent to us... then the hacker could simply send the csrf token to a server side script that will then emulate the http headers.

So how does one actually generate and verify csrf tokens?

Sunbreak answered 12/5, 2011 at 11:58 Comment(0)

All token-based CSRF protections can be defeated with XSS, which is what you seem to "have been able to gather". This will be a good read for you: OWASP on CSRF

Subtract answered 12/5, 2011 at 12:3 Comment(2)

so if i tackle the XSS on my site, I will be able to use token based CSRF prevention? – Sunbreak 12/5, 2011 at 12:8

Basically yes, but it is by no means trivial to get it right. If you follow the guidelines in that link, you'll be in pretty good shape. – Subtract 12/5, 2011 at 12:13

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags