1

I am really confused of what CSRF is. I know it stands for Cross-site request forgery. http://en.wikipedia.org/wiki/Csrf

When you read it here it talks about cross site request forgery attack. But sometimes people use it to refer to the randomized string or token generated by server to make sure each request is from correct issuer.

If it is a token, my understanding is it can be stored in a cookie or http header. When it is stored in a cookie does the token name always have to be the same? Is there standard token name I should be looking for like CSRF=!@#(@!#@(!#JIJ@#KLJKLJLJ. In my particular application I see __RequestVerificationToken_ followed by bunch of random characters. Is that CSRF? Can you name your CSRF token name to whatever you like?

PS: So I guess people can use CSRF token or CSRF attack to differentiate between the two. But if they just use CSRF which one are they really referring to?

DoodleKana
  • 329
  • 2
  • 4
  • 12

1 Answers1

3

CSRF is the attack. A countermeasure to the attack is implementing CSRF tokens. These tokens are intended to prevent CSRF attacks from working. If someone just says "CSRF" they're probably talking about the attack but you'll have to determine that yourself from the context of how it is used.

Your application (or framework in some cases) is what needs to know what CSRF token to expect. So the name of the cookie or parameter isn't important as long as your app knows what it is. There isn't a standard name that has to be used.

Here's another question and answer about preventing CSRF that gives you pointers on fixing the issue.

PwdRsch
  • 8,361
  • 1
  • 28
  • 35
  • 2
    A super minor point. Your answer is completely correct but it may also be helpful to point out that although we widely use the term "CSRF token," a more technically accurate description would be "Anti-CSRF token." Even though in practice we generally abbreviate and know what we mean, the more precise term may clear up a small bit of confusion. – Xander Aug 22 '14 at 16:18