Understanding CSRF token implementation. #2835

vkosovskikh · 2021-09-25T07:34:56Z

vkosovskikh
Sep 25, 2021

Hello,

Can you please help me understand the double submit csrf token implentation made in next-auth? So, tell me if I am wrong somewhere.

The first step we generate random token, hash it with sha256 and put it to httpOnly cookie. Here we use a provided secret or generated secret for hashing. So, is this secret same for every client and request?

The second step a client asks server for csrf token value: { ..., csrfToken: await getCsrfToken() } and adds it to req.body. At this point we already have csrfToken in cookies. So, does the server returns the same token based on what is in cookies? If this is correct why can't attacker call getCsrfToken() and get the token?

balazsorban44 · 2021-09-25T09:55:26Z

balazsorban44
Sep 25, 2021
Maintainer

https://jcarpizo.github.io/owasp-info/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Understanding CSRF token implementation. #2835

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Understanding CSRF token implementation. #2835

Uh oh!

vkosovskikh Sep 25, 2021

Replies: 1 comment

Uh oh!

balazsorban44 Sep 25, 2021 Maintainer

vkosovskikh
Sep 25, 2021

balazsorban44
Sep 25, 2021
Maintainer