client generated double submit cookie, cross site request forgery prevention
Posted
by james
on Stack Overflow
See other posts from Stack Overflow
or by james
Published on 2010-04-01T15:31:51Z
Indexed on
2010/04/01
15:33 UTC
Read the original article
Hit count: 204
in a double-submitted cookie csrf prevention scheme, is it necessary for the server to provide the cookie?
it seems i could have javascript on the clients page generate and set a cookie "anti_csrf", then double submit that (once as a cookie, done by the browser, and once in the body of the request).
a foreign domain would not be able to read or write the "anti_csrf" cookie to include it in the body of a request.
is this secure, or am i overlooking something?
© Stack Overflow or respective owner