I sometimes run into sites with CSRF bugs and I want to know the simplest way to recommend for the developer to fix it. (i.e., if I tell them “Switch to a framework that has anti-CSRF protection”, they won’t listen.)
Anecdotally, it looks like most sites mitigate CSRF by including a random token as a hidden form field, and then rejecting the form submission of the token isn’t present. (And it usually looks hand-crafted, not inserted by the framework.)
I’m wondering why it isn’t much simpler (and hence, much more common practice) to do “double-submit cookie” — where you take the session id cookie and put it in a hidden form field, and then reject the form submission if the hidden field value doesn’t match the session id cookie.
First, the problems with the “random token” approach, if your framework doesn’t have it built-in: You have to generate a random value and store it server-side, and in your storage table it must be associated with the user it was served to. When the form is posted, you have to check that the value is there, check it’s associated with the logged-in user, and then delete it so it can’t be re-used. If you screw up any part of this, you’ve potentially created a security hole. And, you might need to create a new database table for your tokens, which is just more cruft. (Yes, I know you can do it using hashes and secret values, but that’s also error-prone.)
By contrast, consider the ease of using the session cookie. (You don’t want to use an authentication cookie, because if the authentication cookie is stored in a hidden form field, an xss bug might be able to read it. But session-id cookie is probably safe.) ALL you have to do is store it in a hidden form field, and then check the value when the form is submitted.
So, I contend that IF the website in question has a framework that uses session cookies, I can tell them that the easiest way to fix it is by using double-submit-cookie with the “session-id” cookie, and to ignore all the webpages which usually start out by talking about how to protection against CSRF by using random tokens.
Am I missing something? Does double-submit-cookie have some disadvantage?