How does the check between the cookie and the header actually work?

[jd327]

Thanks for the plugin, very useful.

Been looking at the source, just want to understand something: If the XHR request sends a cookie crumb=abc and a header X-CSRF-Token: abc, is it enough for validation to check if cookie equals the header, or is there some additional check to see if the value abc is actually valid?

[spanditcaa]

There isn't an additional check, the crumb value is randomly generated and there isn't any backend storage, nor hashing/signing algorithm used currently that could be used to validate the value.

[jd327]

Thanks @spanditcaa. So the actual validation mechanism is just a check to compare that the cookie is the same as the header (which means it's a valid request)?

[spanditcaa]

Correct @ivanakimov. There is potential for enhancement. In addition to validating the value is legit I have seen other implementations that include a timestamp for expiry embedded in the crumb and set as the cookie lifetime - to prevent someone from capturing a crumb and then programatically making 100's of malicious requests.

[jd327]

Right, makes sense. Yeah, that's why I wanted to double-check. Ok, thank you for the explanation @spanditcaa! 👍

[lock[bot]]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.