this is a brief idea of this method..,
As you can see in the above diagram, in double-submitted cookie pattern two cookies (for the session and for the csrf token) are stored in the browser.
In our previous method, we stored CSRF token values on the server side (text file). But here we don't do it.
Let's start with the "index.php" page..,
This one is similar as the previous one.. you have to give correct credentials to go to the next page.. (Username and Password is in my previous blog)
If you entered the correct details you will redirect to "result.php" page..
and the coding of "result.php" is here..,
As you can see two cookies are stored on the browser. These cookies have 1 year expiration time and they are accessible from anywhere.
Javascript function is written to retrieve the csrf value from the csrf cookie set on the browser. Then DOM will be modified with the value that is retrieved from the csrf cookie.
once you update something it will again redirect to a page call "home.php"
csrf cookie value and the html hidden field csrf value are sent to the checkToken function as parameters.
and here is the "token.php"
This function returns true if the csrf token values get matched.
You can download this sample website from my github using the following link;
and this is just a one simple method.., you can try many ways to do the same thing..
Try different and make a Change..!! :) :)
No comments:
Post a Comment