Current section: Cross-Site Request Forgery 4 exercises

CSRF Protection with Cookies


00:00 For this first step, we're going to get a little bit of a peek into using cookies to persist some data so that we can associate this authenticity token with the particular client, so that when they submit their forms, we can check between the cookie that the client has and the token that was submitted in the form.

00:19 There's going to be a little bit of that. We're not going to dive too deep into the cookies until a future workshop, once we talk about authentication. You're going to be creating a cookie, you're going to be creating a CSRF object that will contain utilities that we're going to use to generate a CSRF as well as the cookie header.

00:37 You're going to be working in a utility file, you're also going to be working in the root loader so that you can generate that token and set that cookie and send it to the client. That's as far as we're going to get, and then in the next step, we'll go to actually integrating that with the form. This will also involve an environment variable so that we can sign

00:57 the cookie to prevent anybody from trying to create their own or tampering with that cookie. This is just the first step of a multi-step process for adding CSRF protection. Have a good time and we'll see you when you're done.