16Haz
Why does Double Submit Cookies require a separate cookie?
According to OWASP:
When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session id.
(emphasis mine)
Why does the CSRF token need to be stored in a separate cookie if the session id is:
- a random value (a value the attacker cannot guess)
- stored in a cookie (a value the attacker cannot read)
- generated by the server (a value the attacker cannot write)
Why not simply use the session id as the CSRF token? You'd still submit the value twice (once in the cookie, once in the form) and compare the values, but wouldn't use a separate cookie for the CSRF token.
