4Ara
CSRF Tokens and Cookies
I have been trying to understand how CSRF tokens work and from my research, it looks like it is common for the server to provide both a CSRF cookie and a token to the end user. The user then returns it with the subsequent request and the server is able to validate the CSRF token against the CSRF cookie (by way of MAC).
My question is this - The CSRF validation is confirming if the session token is a legit token issued by the server. How do they ensure that the cookie/token combo being returned is the one that was issued for this specific user?
In other words, what is stopping the attacker from initiating a session with the web app, get a CSRF cookie/token, and attach it to the malicious request?
