Hi, I was just reading the CSRF Prevention Cheat Sheet and had a question about the "Synchronizer Token Pattern" prevention method.
The recommended method suggests using a single challenge token for the session for usability. Wouldn't that just be like setting two session cookies instead of one? And if so how is that any more secure?
For example if an attacked pulls the sessionID from the headers and then pulls that session token from the body, then they can hijack the session and launch an attack.
What am I missing about this technique?