Reading OWASP CSRF prevention cheat sheet , one of the methods proposed to prevent

Question

0

Asked: June 4, 20262026-06-04T06:12:06+00:00 2026-06-04T06:12:06+00:00

Reading OWASP CSRF prevention cheat sheet , one of the methods proposed to prevent

0

Reading OWASP CSRF prevention cheat sheet, one of the methods proposed to prevent these kind of attacks is the synchronizer token pattern.

If the session token is cryptographically strong, can it double as the csrf token as described in the following pseudocode?

Client:

<script>
dom.replace(placeholder, getCookie("session-cookie"))
</script>

<form>
<input type="hidden" name="csrf-cookie" value="placeholder-value"/>
<input type="text" />
</form>

Server:

if(request.getParameter("csrf-cookie") != user.getSessionCookie())
    print "get out you evil hacker"

The cookie is set with javascript on page load to prevent users from accidentally leaking the session cookie if they e.g. email a copy of the page to a friend.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-04T06:12:08+00:00

Editorial Team

2026-06-04T06:12:08+00:00Added an answer on June 4, 2026 at 6:12 am

Anything that cannot be retrieved by an external site can be used as a CSRF token. So contents of the session cookie is fine for this.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Reading OWASP CSRF prevention cheat sheet , one of the methods proposed to prevent

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply