Is it safe to use a signal auth-token in cookie for auth (post and requst only json via ajax)?
Why attacker can not get the form token in hidden field?
How an attacker do a CSRF attack with a POST request?
1
votes
1 Answers
16
votes
Is it safe to use a single token in a cookie for authentication?
Sort of, if that cookie is HTTP-only (which helps protect against XSS) and SSL then there's no way anyone outside your site can read that cookie.
However, the user's browser can retain that cookie, and will automatically send it whenever their browser requests a page from your application again. This is desired when the user is navigating your site, but also how a CSRF attack is possible.
Why can't the attacker get the form token in a hidden field?
In a CSRF attack the hacker can't actually read your site or the cookie because it should be protected by SSL/HTTPS. CSRF works by fooling your browser into sending their data along with your secure data to your site.
So a value in a hidden field is part of the default defence against CSRF - they have a secret value in a cookie (which the hacker can fool the browser into re-sending but can't see or edit) and the same value in a hidden input field in the encrypted page (which the hacker can't get to). If the cookie and the hidden value don't match then you have a CSRF attack.
How does an attacker carry out a CSRF attack with a POST request?
Ok, so suppose you have a secure website. You can log into this site using SSL and you'll get an HTTP-only SSL authentication cookie back that keeps you logged in.
Now I have a new page, on a completely different site. If I link to your site from mine then when you click on that link it will leave my site and go to yours, passing your cookie.
If I add an HTML <form> to my page that POSTs back to your site the same thing happens: the browser goes back to your site and sends any data in the form, along with your cookie.
Note that I haven't read either your cookie or any pages on your site, as both are protected by SSL encryption.
For the full effect I can hide that form on the page so that the user doesn't even realise that they're posting back to your site.
A trivial example of this is the 'Like' functionality on Facebook - they've patched this now I think, but for a while I could fool your browser (without accessing your details) into sending your authentication cookie to the Facebook action that says you like something I want you to.
