You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -71,7 +71,7 @@ This is a very simple method where each session has a unique CSRF [token](/serve
If storing the token server-side is not an option, using signed double-submit cookies is another approach. This is different from the basic double submit cookie in that the token included in the form is signed with a secret.
A new [token](/server-side-tokens) is generated and hashed with HMAC SHA-256 using a secret key. Each HMAC must be linked to the user's session.
A new [token](/server-side-tokens) is generated and hashed with HMAC SHA-256 using a secret key. Each HMAC must be linked to the user's session. You can alternatively encrypt the token with algorithms like AES.
The token is stored as a cookie and the HMAC is stored in the form. The cookie should have a`Secure`, `HttpOnly`, and `SameSite`flag. To validate a request, the cookie can be used to verify the signature sent in the form data.
The token is stored as a cookie and the HMAC is embedded in the form. The cookie should have the`Secure`, `HttpOnly`, and `SameSite`attribute. To validate a request, the cookie can be used to verify the signature sent in the form data.
