Posts

Double Submit Cookie Pattern

Image
Previously, I have written article to know about  CSRF  and  Synchronizer Token Pattern . link As discussed previously Synchronizer Token pattern, the server will store the CSRF tokens against the session IDs. This introduces a concern as sessions cost memory and may result in imbalances in terms of load distribution across web servers. With a significant amount of users consuming the system at a given time, the memory used will also grow exponentially. This is when Double Submit Cookie pattern comes to play. In Double Submit Cookie Pattern, the server will not store the tokens, hence called Stateless CSRF Defense. Double submit is a variation of the token scheme where the client is required to submit the token both as a request parameter and as a cookie. A malicious page on another domain cannot read the CSRF cookie before its request and thus cannot include it as a request parameter. This pattern is called as stateless...