this section is talking about csrf attack and its prevention
If you have not been familiar with HTML / HTTP, you can pass this section temporily
CSRF ( Cross-site request forgery ) is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts
- If a bank transfer money by a url
http://www.examplebank.com/withdraw?amount=A&for=B
- A is the amount to transfer
- B is the target account name
-
An attacker send a link to victims via email
http://www.examplebank.com/withdraw?amount=1000&for=AttackerAccount -
Any logged in victim click the link would send $1000 to AttackerAccount
- XSS exploits the trust a user has for a particular site
- CSRF exploits the trust that a site has in a user's browser
- Synchronizer Token Pattern
- Server generate a unique secret token and bind it to user session
- Server render the form with that token
<input type="hidden" name="csrfmiddlewaretoken" value="KbyUmhTLMpYj7CD2di7JKP1P3qmLlkPt" />
- When client request comes, check the request token with the session token
- same as session token : valid request
- different from session token : invalid request
- destroy the token in session