Synchronizer token pattern (STP)

4 min readOct 13, 2019

Synchronizer token pattern (STP) is a method to mitigate the risk of being attacked through CSRF. Most of web applications, servers are using HTTP session to identify the logged in users. In this case, session is generated in the server side and pass the session ID to the client. In this technique create secret and unique token for each request. That the value is embedded by the web application in all HTML forms and verified on the server side. Then ensuring the uniqueness the token is generated by the server. In here server generates token per every session. In that case the attacker is unable to place a correct token in their requests to authenticate them.

In that case we use SPT to prevent CSRF attacks from the attackers. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request

Follow this diagram for get some idea about synchronizer token pattern

Implementation

I let on this example:- click here

First, entering email, password and login to the web application.

Email — hasanka@gmail.com

Password — hasanka

If you authenticated successfully, you can submit your details such as Username, DOB, Address and Age.

This login form submits user credentials using a POST method. After submitted randomly create a number by a function and it will be saved in the session variable call token. The token is always saved in the server side.

dscaddinfo.php

After validating the credentials and if the user is authenticated, the user will be redirected to dscaddinfo.php where you can add a transaction details to the application

Here, after the user logged in, the browser will send an Ajax call to get the CSRF token to form.php. This Ajax call contains the session id. Then the server will response the corresponding CSRF token along with the response body.

AJAX call

The retrieved CSRF token will be stored in a hidden field is in form.php

hidden field

The CSRF token will be validated by dscvalidation.php. When user add Full Name, DOB, Address and Age

To the application, the request generated CSRF token. Then the server validates session-id which is in the request header using the one that is stored in the server-side, and also it compares the CSRF token in the body with the token in the request header.