Eyal Lupu has written an excellent article in his blog about mitigating Cross Site Request Forgery (CSRF) attack.
CSRF allows an attacker to create a fake form / link posting to a secured website. It exploits the fact you might have an active session from a secured website. For example, an attacker can create a fake form / link with all the data required to transfer money to his / her account without you realizing it.
This CSRF prevention techniques involes two components:
- Rendering a hidden form field with randomly generated token stored in session
- Ensuring the next post request came with matching token
The sample source code of this solution can be obtained from:
git clone https://github.com/eyal-lupu/eyallupu-blog.git