[WEB SECURITY] CSRF protection: What are the benefits of using the Synchronizer Token Pattern if your application is not vulnerable to XSS and using HTTPS only?

Tim tim-security at sentinelchicken.org
Thu Apr 21 15:41:03 EDT 2011

> Anyone else who has tweaks or ideas on how to enhance Double Submit? Love to hear about it!

I'm sure this has been mentioned somewhere at some point, but why not
just use an HMAC instead?  Doesn't require synchronization and you
don't need to bother with cookies (*blech*).

(Note that Paul's comment about other people not being able to set
cookies in your domain may or may not be true depending on how old the
browser is.  I'd have to dig to determine the current state of that
particular cookie brokenness, but [1] is a great resource start to
start understanding just how buggy implementations likely still are.) 

This one possible way to use an HMAC:

A. Upon user session creation, store a random secret key in the
server-side session state.  Do not bother changing this again for this

B. On every form, in a hidden form field (POST body) include your CSRF
token which is constructed as:
   csrftoken = timestamp || HMAC(key, timestamp)

C. When receiving each POST, just verify that the timestamp is not too
old and that the HMAC matches.  This handles asynchronous requests
perfectly fine for the whole session.

I'm sure this could be improved, but that's the gist of it.


1. http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html

More information about the websecurity mailing list