[Owasp-csrfguard] difference between session tokens and csrf tokens

Thomas Biege thomas at suse.de
Mon Jul 4 09:56:02 EDT 2011

Am Freitag, 1. Juli 2011, 21:15:00 schrieb Normando Macaraeg:
> Please forgive me if this is a silly question, but unfortunately I could
> not give my team a clean answer to this question.  The question was "What
> is the difference between a session token and a CSRF token (as generated
> by CSRFGuard)?"
> My understanding is that a session token is unique per user connection.
> On the other hand, CSRFGuard tokens are injected into all HTML forms, all
> src and href attributes in each page presented to the user.  Additionally,
> a CSRF prevention token can be generated per session, if configured to do
> so.  Isn't this CSRF session token basically the same as the web app
> session token?  Or am I comparing apples to oranges?

The difference is in the technical details.
Today the session token is a session cookie or part of it. The browser
sends the session cookie automatically when it sends a HTTP request to a
side it has a cached cookie for. That is why CSRF attacks work for
restricted sites.
The CSRF token is used to protect POST requests and is not automatically
send but only with some user interaction. Example:
1.) admin goes to CreateUser page
2.) web-app puts a hidden field in CreateUser page that contains
    the random csrf token
3.) admin inserts user info and clicks submit
4.) the form fields and a hidden field containing the csrf token
    are send to the CreatUserSubmit page
5.) CreateUserSubmit verifies the correctness of the csrf token

An attacker would try to call CreateUserSubmit directly providing
the fom fields to create a new backdoor account and trick the admin
in "executing" this POST request.
This will not work anymore because the attacker does not know the random
csrf token and the CreateUSerSubmit page will reject the request therefore.


Thomas Biege <thomas at suse.de>, SUSE LINUX, Security Support & Auditing
SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach

More information about the Owasp-csrfguard mailing list