Merge pull request #190448 from yoelhor/patch-247

hmacgregor1 · web-flow · commit 7819a410d892 · 2022-03-20T14:43:46.000-07:00
Cross Site Request Forgery (CSRF)
diff --git a/articles/active-directory-b2c/cookie-definitions.md b/articles/active-directory-b2c/cookie-definitions.md
@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 08/12/2021
+ms.date: 03/20/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -42,8 +42,18 @@ The following table lists the cookies used in Azure AD B2C.
 | `x-ms-cpim-trans` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Used for tracking the transactions  (number of authentication requests to Azure AD B2C) and the current transaction. |
 | `x-ms-cpim-sso:{Id}` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Used for maintaining the SSO session. This cookie is set as `persistent`, when [Keep Me Signed In](session-behavior.md#enable-keep-me-signed-in-kmsi) is enabled.|
 | `x-ms-cpim-cache:{id}_n` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md), successful authentication | Used for maintaining the request state. |
-| `x-ms-cpim-csrf` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Cross-Site Request Forgery token used for CRSF protection. |
+| `x-ms-cpim-csrf` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Cross-Site Request Forgery token used for CRSF protection. For more information, read the [Cross-Site request forgery token](#cross-site-request-forgery-token) section. |
 | `x-ms-cpim-dc` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Used for Azure AD B2C network routing. |
 | `x-ms-cpim-ctx` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Context |
 | `x-ms-cpim-rp` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Used for storing membership data for the resource provider tenant. |
 | `x-ms-cpim-rc` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Used for storing the relay cookie. |
+
+## Cross-Site request forgery token
+
+To prevent Cross Site Request Forgery (CSRF) attacks, Azure AD B2C applies the Synchronizer Token strategy mechanism. For more details on this pattern, check out the [Cross-Site Request Forgery Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern) article.
+
+Azure AD B2C generates a synchronizer token, and adds it in two places; in a cookie labeled `x-ms-cpim-csrf`, and a query string parameter named `csrf_token` in the URL of the page sent to the Azure AD B2C. As Azure AD B2C service processes the incoming requests from the browser, it confirms that both the query string and cookie versions of the token exist, and that they exactly match. Also it verifies the elements of the contents of the token to confirm against expected values for the in-progress authentication.
+
+For example, in the sign-up or sign-in page, when a user selects the "Forgot password", or "Sign-up now" links, the browser sends a GET request to Azure AD B2C in order to load the contents of the next page. The request to load content Azure AD B2C additionally chooses to send and validate the Synchronizer Token as an extra layer of protection to ensure that the request to load the page was the result of an in-progress authentication.
+
+The Synchronizer Token is a credential that doesn't identify a user, but rather is tied to an active unique authentication session. 
