Cross Site Request Forgery

Cross Site Request Forgery as we known as CSRF is one of the most common web security problems.

I am trying to simply explain: Attacker’s always trying to steal a client’s cookie and if it is successful, they can connect to a website instead of us. And then they can do anything they want. Because when we login to some website example: Facebook, our browser asks us ‘Do you want to save login data ?’ If we click save the data, Facebook can generate a unique ID which helps us to login easily next time and then the cookie can save our unique ID.

After this process, our cookies have Facebook-s unique ID for login. If we lose this cookie, they can login to Facebook even if they don’t know our username and password. It sounds like it’s easy to lose our login data to any other social media and bank etc..

How can we protect ourselves from losing our cookie ? Or What should we do if we lost our cookie ? Of course, in the world even bad people like hackers or students, even me every time trying to get someone’s cookie. There is no problem because if you are a Developer who knows how to protect from this issue, we can protect as well.

Most common technique is CSRF token. CSRF token should be a highly encrypted unique string. This token will be generated on Server-side and sent to the client’s web browser when we browse this website. After that client wants to login this website and PUT request to server include this token. On the Server-side program will match this token. This is the best way to protect this type of web vulnerability.

If you want to do it more securely, we can set an expiration time for our cookie.

Thank you for your time. I want to make notes for me about cookies and CSRF. If this article can help you to understand this process, I would be happy for that :).

Full-stack Software Developer