Double Submit Cookie Implementation questions

Question

I have read up on the Double Submit Cookies vulnerabilities question and while it answers a bunch of questions I am still a bit confused.

I have taken a look at this repo: https://github.com/jeongl/express-jwt-csrf-auth

The summary of this implementation is that on the authenticated request they send a CSRF token in cookie1 and a JWT token (which includes the CSRF token) in cookie2.

The client then takes the csrf token out of cookie1 and stores it locally (assumed) and makes a request with an x-csrf-token header with the csrf token.

The server then decodes the JWT token and extracts the csrf token from the original response and compares it against the x-csrf-token header.

My question is that if an attacker gets access to the cookies can they not extract the csrf token from the cookie1 and send the request with a x-csrf-token header in a form request along with cookie2.

score 2 · Answer 1 · answered Oct 12 '17 at 18:44

2

CSRF protections are there to protect you from attackers making the browser automatically do things on your behalf. In this instance, the client has to include the request header manually (presumably through JavaScript). A normal browser request via form POST or linked GET will never include this header, so a CSRF attack cannot take place.

That's all this protects against. You're screwed if the attacker has a way to steal the cookies because they can just impersonate the user and do whatever they want. Or put another way, you also need to find a way to protect the cookies from being stolen.

answered Oct 12 '17 at 18:44

Steve

15,155
3
37
66

So as long as I use a secure cookie with https, should that be good enough to secure the cookie? – matic Oct 13 '17 at 01:31
@chapmatic yes, that will work. – Steve Oct 13 '17 at 20:29

Double Submit Cookie Implementation questions

1 Answers1