Synchronizer Token Pattern
In my previous blog, I talked about what is CSRF attack if you didn't read that. I will provide that link here. (for CSRF blog)
Synchronizer token pattern (STP) is a method we use to prevent CSRF attacks. so now let's see how this prevention mechanism works
How to prevent?
This figure illustrates how does Synchronizer token pattern (STP) works
as in this figure, first client sends a login request and his credentials to the server then the server sends a set-cookie and a session Id to monitor the client's status.
when the client receives the set-cookie and session-id form the server. Client store those detail in clients web browsers and sends an updated state to the server. after that client asking for a CSRF token from the server using AJAX post request. when the server receives a CSRF generator request it generates a CSRF token for the client and sends it via the hidden field and the server also keeps a copy of a CSRF token to validate the token. from now on when the client sends a request for any change in the server its checks the token and it proceeds its function.
in here I have created a sample project for Synchronizer token pattern click to get the code
first we need to log in to the page using
username → admin
password → pass
after login, we may get a page like this
when we logged into the home page the session cookie and the CSRF token generated via our javascript code and save it to the file in the server and saved in the set cookie function.
when we update a post it sends an update request with the token to validate whether it is a valid user or not.
here I have used an md5 hashing algorithm to create a token and stored it in the savedtoken.txt file and saved into the session.
when user update a post it’s checking the token using a mechanism mention in the above
this is how it looks like when it is a valid request
this is how its look like when it is note valid
