Synchronizer Token Pattern
Let’s meet Synchronizer Token Pattern In this post let’s discuss about using a synchronizer token pattern to prevent CSRF (CSRF meaning Cross-site request forgery.). Synchronizer token pattern (STP) is a technique where a token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side. Then the token is generated by the server with ensuring the uniqueness. In here server generates token per every session. In that case the attacker is unable to place a correct token in their requests to authenticate them. Why STP? A third party attacker cannot perform a CSRF attack, because cross domain AJAX calls are not possible. This means, the victim is in banker.com, and attacker.com cannot request the CSRF token from the server via an ajax, because the domain doesn’t match each other, and cross domain ajax calls are not possible as I mentioned before. Let’s understand Synchronizer token pat...