Posts

CSRF Protection using Double Submitted Cookies

Image
Here we will look about the Double Submitted Cookies to CSRF protection. In Synchronizer Token the client and the server should wants to generate the token value. So this process is time consuming and get load the server. For reduce this kind of issues we are using double submitted cookies. We need java script to run double submitted cookies. For that the http flag should be off. Here we are sending two cookies through the http header and the http body. Then the server will validate these two cookies and if its same it will allow, if its not deny the request. In the client side (index.php) we create the session and store it in the cookie.After that create a token and store it in a new cookie. After that we shoud set the estimation of hidden token as "<? echo $token ?>" This will send the hidden token to server side when client click on login button. After that create a function to validate login in the server side Get the full code from here

CSRF Protection using Synchronizer Tokens

Image
What is cross site request forgery? Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently  authenticated. CSRF attacks specifically target state-changing requests,  not theft of data, since the attacker has no way to see the response to the forged request We can avoid these kind of attack (CSRF) by two ways 1. Synchronizer Tokens 2. Double submitted cookies Here we are considering on Synchronize Tokens. When we login, there will be a random number generated and stored on the client side and server side as well. So when the attacker creates the code he doesn't know the token value. So he can not create a code with the correct token value. Anyhow, if the victim clicks the link, that won't be harmful. because the verification will fail. For the first step we want to create the session in the client side (index.php). Then we want create a cookies and set session id to the cook...