During a code review of an application we're developing, one of the security advisors raised storing the CSRF token in the XSRF-COOKIE is insecure and "isn't mitigation to CSRF at all".
It was suggested that a malicious forged request from an attacker could pick up a victim's cookies from their browser, including the XSRF-TOKEN cookie, meaning the attacker could forge a request using a valid csrf token.
I'm quite happy I can prevent the XSRF-TOKEN cookie from being set without any negative consequences — we include the _token parameter in each POST request and X-CSRF-TOKEN header in ajax requests. My question is to find out if there's any stock in this claim? I don't know enough about request forgery to comment.
CSRF basically is an attack that makes your browser submit a form that you haven't requested.
This means you for example receive an email from X, click a button and because you have the necessary cookies and permissions you have accidentally submitted a form that you have never requested.
With the token set in your cookie what happens is that the server makes sure that at least you have requested the form, and that single time (same form tomorrow will have a different cookie).
So it's true, an attacker can submit a form if he can trick you at the same moment that you requested the form he wants to submit, but in security is everything about probabilities.
