3 years ago

XSRF-TOKEN Cookie Security

Posted 3 years ago by steveneaston

During a code review of an application we're developing, one of the security advisors raised storing the CSRF token in the XSRF-COOKIE is insecure and "isn't mitigation to CSRF at all".

It was suggested that a malicious forged request from an attacker could pick up a victim's cookies from their browser, including the XSRF-TOKEN cookie, meaning the attacker could forge a request using a valid csrf token.

I'm quite happy I can prevent the XSRF-TOKEN cookie from being set without any negative consequences — we include the _token parameter in each POST request and X-CSRF-TOKEN header in ajax requests. My question is to find out if there's any stock in this claim? I don't know enough about request forgery to comment.

Please sign in or create an account to participate in this conversation.