dougwilson
commented
5 years ago The client side secret is just for the double submit cookie CSRF pattern. It is listed on OWASP as a valid CSRF protection method. This module allows you to store the secret on the server side as well, which is actually the default secret storage method.
Am I understanding correctly that the cookie option stores the secret that is used to create the csrf token as a cookie?
If so, the attacker could change the cookie and thereby always send a valid token.
I think this only works if CORS is disabled or there's an XSS vector (in which case it doesn't really matter), but it could be mitigated by using an extra fixed secret in the server that combines with the cookie secret?