OAuth 2.0

In this blog I'm going to describe how to create a Resource Server API. And here is a brief idea about how it works..,

How to implement Cross-site Request Forgery protection in web applications via Double Submit Cookies Patterns

In this blog i'm going to show you how to achieve CSRF attack protection using double-submitted cookie pattern.

this is a brief idea of this method..,

As you can see in the above diagram, in double-submitted cookie pattern two cookies (for the session and for the csrf token) are stored in the browser.

In our previous method, we stored CSRF token values on the server side (text file). But here we don't do it.

Let's start with the "index.php" page..,

This one is similar as the previous one.. you have to give correct credentials to go to the next page.. (Username and Password is in my previous blog) 

If you entered the correct details you will redirect to "result.php" page..

and the coding of "result.php" is here..,

As you can see two cookies are stored on the browser. These cookies have 1 year expiration time and they are accessible from anywhere.

Javascript function is written to retrieve the csrf value from the csrf cookie set on the browser. Then DOM will be modified with the value that is retrieved from the csrf cookie. 

once you update something it will again redirect to a page call "home.php"

csrf cookie value and the html hidden field csrf value are sent to the checkToken function as parameters.

and here is the "token.php"

This function returns true if the csrf token values get matched.

You can download this sample website from my github using the following link;

https://github.com/janitha1st/Cross-site-Request-Forgery-protection-in-web-applications-via-Double-Submit-Cookies-Patterns

and this is just a one simple method.., you can try many ways to do the same thing.. 

Try different and make a Change..!! :) :)

Understand "Synchronizer Token Patterns"

First we'll see what Cross Site Request Forgery is?

"Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request.

This blog describes you a method that can apply to protect your own website by generating Cross-Site Request Forgery Tokens in server side and validating them before respond to any client request. 

Now we'll move on to a sample website to understand the method we discuss above..,

Here I have 5 .php files and one .txt file called "authKeys".. and other files are used to add some effects to my web page.. ;)

and here is my "index.php" page..,

When an user logs into the website using his/her credentials (in here my Username is "JANITHA" and my Password is "SSE"),  the log in a session will be created and the session id will be used to map with the CSRF token that will be generated along with the session creation. 

Then if, he/she has entered the right credentials, the user will re direct to an another page if will ask for his/her first name and last name. And there will be a token stored in the "authKeys.txt" automatically..

Once the user enter the First Name and the Last Name CSRF token will be validated. If it is valid user will get a message saying that "Token is Valid".

You can download this sample website from my github using the following link;
https://github.com/janitha1st/Sample-Synchronizer-Token-Patterns-

and this is just a one simple method.., you can try many ways to do the same thing.. 

Try different and make a Change..!! :) :)