client generated double submit cookie, cross site request forgery prevention

Posted by james on Stack Overflow See other posts from Stack Overflow or by james
Published on 2010-04-01T15:31:51Z Indexed on 2010/04/01 15:33 UTC
Read the original article Hit count: 204

Filed under:
|
|

in a double-submitted cookie csrf prevention scheme, is it necessary for the server to provide the cookie?

it seems i could have javascript on the clients page generate and set a cookie "anti_csrf", then double submit that (once as a cookie, done by the browser, and once in the body of the request).

a foreign domain would not be able to read or write the "anti_csrf" cookie to include it in the body of a request.

is this secure, or am i overlooking something?

© Stack Overflow or respective owner

Related posts about JavaScript

Related posts about xsrf