I already seen some question from here (stackoverflow) and THIS post, but I still have some questions…
-
Using hidden value in the post form and check it when post reach the server.
- The hidden value can easy be copied and send exactly like the real one, “hard to guess” (like md5) will not help. (right?)
-
Setting a cookie when you reach the form and send the cookie value as a hidden value.
- You can easily change a cookie value or send a custom cookie exactly like the real one using the same real hidden value. (right?)
-
Using ‘timeout’, the POST values cannot reach too late.
- So, if you’re slow you will fail when you try to set everything up with the hidden value. If you’re fast it gonna work. (right?)
I want to be protected about CSRF…but how exactly I do it?
The easiest way I found to prevent CSRF issues is:
On the server side, assign an HttpOnly cookie to the client with a random (unguessable) token
Place a hidden field on the form with that cookie value
Upon form submit, ensure the hidden field value equals the cookie value (on the server side of things)