Another public service announcement. cool.
One thing worth being clear on: If you follow the double-submitted cookie method, and the cookie value you place within the HTML form has any kind of meaning beyond preventing CSRF, you’re opening yourself to other problems.
To avoid the complications, use of those approaches:
- Make sure the cookie used in the HTML form is NEVER used for anything else (such as, say, user authentication)
- What you put in the form is a value derived from the cookie. an HMAC of the cookie keyed on some server secret would work great for something like this.
The later approach is sane, cheap (no server state, no new cookie) and sufficient to avoid the XSRF class of attack, and is probably my favorite.