Cross-site request forgery CSRF / XSRF : CSRF is a security threat which was available on many crucial websites like banks, government etc. It allows the unauthorized user to make requests to the application, without the knowledge of actual user. Let’s get in detail.
When do CSRF happens?
Let’s take a scenario, the user logs into his bank account from a browser, then before logging out, the user browses other sites (some evil sites) on another tab on the same browser. Then the evil site might have some links or java scripts running, which will make a request to the bank site to transfer money to evil users account. CSRF exploits the trust that a site had on user’s browser.
How to prevent this?
Most common method to handle is Synchronizer token pattern, even though there are multiple other mechanisms. As per the Synchronizer token pattern method, we will be using a unique secret token, which will be generated and send from the client to server by embedding it on the HTML form and is verified on the server side. There are different methods for creating tokens, like hashing. The evil user will not be able to place the token on the request.
CSRF / XSRF token mismatch Issue : As we said if the user token send from the client to server is not successfully verified, then It will throw a 500 Internal Server Error message CSRF/XSRF token mismatch.
CSRF / XSRF token mismatch Issue on clustered environment : When we are having multiple application servers running in parallel with load balancer, then the load balancer might send the requests to different application servers for each request, because of that the token will get miss matched. For solving this issue, We can use Sticky Session(session affinity), which will bind a user’s session to one specific application server, so that it will not have a token miss match.
For more details
Wiki and Sticky Session
Image Credits: Grasshopper.com, blog.iyog