0

There is a standard method of preventing a CSRF attack by comparing a value in a special cookie (that is posted automatically with each request) and some value that is coming either in form post (from html) or in a header with ajax requests.

Micosoft has a documentation here for Web Api on how to do CSRF prevention using Web Api and code basically generates two values and concatenates them together and then one can send this value with each ajax request and the server will validate.

As far as I can see the validation will check that the token have two parts that are equal to each other and check if it was generated by authenticated user. For anonymous it will only check the first part.

So my question is:

Is this method as secure as comparing token from header with value from cookie or there is some drawbacks to doing it this way?

P.S. Authentication itself is using cookie and is sent with each API request which make it possible to attack with CSRF

Ilya Chernomordik
  • 2,197
  • 1
  • 21
  • 36
  • What do you mean exactly with *"token from header"*? If you use your own header field in XHR you would not be able to send a cross-site request anyway unless the server has a CORS policy which allows this. – Steffen Ullrich Jul 12 '19 at 07:28
  • I mean CSRF token sent in header, not authentication information itself. It is sent in cookie so CSRF is possible. I will edit the question to make it more clear – Ilya Chernomordik Jul 12 '19 at 07:37

0 Answers0