Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

7
  • Ideally, the anti-CSRF-token should not be stored in cookies at all. Only in the html-form. Commented Nov 30, 2018 at 10:43
  • "An attacker would only be able to manipulate the current, active session of that particular user whom he stole the anti-CSRF token from". Yes I understand it would have to be that particular user's session whos anti-csrf token was stolen, however, that means the attacker could potentially hijack that particular session right? I know the chances of this happening is very low, but it is still a vulnerability. Commented Nov 30, 2018 at 15:23
  • Also, what's the difference between putting the anti-csrf in the hidden form field vs cookie and then copying to header on every request? I ask because the application I'm building is an SPA and it seems easier just to do the cookie -> request header way. Commented Nov 30, 2018 at 15:26
  • @EJC Your application should not put the anti-CSRF token into the cookies. The way CSRF tokens work is: the server outputs it directly into the html (hidden form field) in every response which has a form. How would an attacker hijack a session if he doesn't have access to the JWT? The JWT is for authentication. The anti-CSRF-token is only for CSRF-protection. Commented Nov 30, 2018 at 16:25
  • Well with a CSRF attack you don't need access to the JWT, it is stored in the browser and its automatically sent with the request. This, in combination with getting the anti-csrf token with XSS, should be enough to hijack the session. Commented Nov 30, 2018 at 22:47