Cross Site Request Forgery - method 02

In this post, I suppose to discuss  how to achieve CSRF attack protection using double-submitted cookie pattern.

Work Flow

In double submitted cookie pattern, there are two cookies(session & CSRF token) stored in the browser.In our previous method, we stored csrf token values on the server side (text file). But here we don't do it.

index.php

The user login to the website using their credentials.Here, I hard coded the user credentials for the testing purposes like this ($uname == 'thusiya' && $pwd == 'thusiya').

result.php

As should be obvious two cookies are put away on the browser. These cookies have 1 year termination time and they are available from anyplace. 


home.php

csrf cookie value and the html hidden field csrf value are sent to the checkToken function as parameters.

 token.php

 If CSRF value is matched, that function will return the true value.

You can download source code from my GitHub.

https://github.com/thusith94/Cookies-Patterns