I started with the entry in http://en.wikipedia.org/wiki/Cross-site_request_forgery to understand what is CSRF and how to prevent it. I see people talking about preventing CSRF attack through token generation. I should say that it's still not very clear to me and wanted to have some discussions with you on this.
I understand that we can generate some security tokens for ave the timestamp for each user session and next time a request comes, check against that token and timestamp. However, what I am not understanding (in a broad sense) is how it is different from just using a regular session attribute or using a cookie. The steps to use token as far as my understanding goes are -
1) Generate a token, use md5 or random number or anything that an attacker can't guess on. 2) Use a hidden field in the form (for POST) or a URL parameter (for GET) as token value where you can put the generated token's value. 3) For each user request, determine if the token is already present there or not and match that with the token value (and time stamp with a safe time-to-live) of session attribute/request attribute.
This means, I have to add the logic of checking this into a filter or controller where I can inject the token or check the condition of the token validation.
But what about checking a first time user request? At that time, the new session is created, right? So the first page must be shown as the token is not present. So if I have already shown the first page or executed the first URL, then I failed to prevent a CSRF attack for that first page/URL. Is that okay?
If you put some comments that will help me clarify my thoughts and understanding on this topic. Thanks in advance.
Ashik Uzzaman Lead Member of Technical Staff, Salesforce.com, San Francisco, CA, USA.
The first page -where a session is created- would typically be the page after the login. That would presumably require the user to have sent username and password, something he needs to type in - that can't be done through a CSRF.