Why is csrf not put in a cookie?

K

Kirill Nesmeyanov2014-11-07 13:23:21

Information Security

Kirill Nesmeyanov, 2014-11-07 13:23:21

Often, to simplify the work, the token is hung in meta tags and torn out when required. Write helpers or other wrappers.
But here's what I thought - I've never seen csrf saved in cookies (even http-only). After all, it is really easier to use - in the future, no gestures will be required to send data (albeit such trifling ones). Are there any rakes that you don’t immediately guess about?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

apasen, 2014-11-07
@apasen

It can also be faked.

D

DaNHell, 2014-11-13
@DaNHell

So actually, that's the point.)
And then, upon receipt of each request, the token from the cookies and the token specified in the form parameters are compared. And if they are the same, then the source of the request is legal. Then the token is generated again, and set to the cookie again, and so on. round.

B

BelirafoN, 2014-11-13
@BelirafoN

And who knows how it is implemented in Laravel? Somehow, Laravel's work with the csrf token does not fit into the above scheme.
The token is not put in cookies, there is only a session, which, clearly, is not regenerated between requests. The CSRF token used to sign the form, or the entire page (in the meta tag) is also static, otherwise ajax requests would not work.
It turns out that in Laravel the csrf token signature scheme is defective. A much simplified version?