"Synchronizer Token Pattern" Question

Hi, I was just reading the CSRF Prevention Cheat Sheet  and had a question about the "Synchronizer Token Pattern" prevention method.


The recommended method suggests using a single challenge token for the session for usability.  Wouldn't that just be like setting two session cookies instead of one?  And if so how is that any more secure?

For example if an attacked pulls the sessionID from the headers and then pulls that session token from the body, then they can hijack the session and launch an attack. 


What am I missing about this technique?




You need to be a member of OWASP to add comments!


Email me when people reply –


  • To answer my own question I am going to hazard a guess that this method is more a defense by obscurity against automated attacks. The sessionID from the header is pretty standard whereas a challenge token field name is going to be custom to the application or even per page.

This reply was deleted.