Implementing Cross-site Scripting forgery Protection in web application via Synchronize token pattern

Cross-site request forgery, commonly known as CSRF attacks mainly occurs in emails, blogs, websites, instant message which causes users web browser to perform an malicious action while user is currently authenticated in to a trusted site. The consequence of a successful Cross-site Request Forgery attack is limited to the capabilities exposed by the vulnerable application. This kind of attack could result in a changing passwords, purchasing items in the users context, transfer of funds and etc. This kind of attacks perform by the attacker by using the browser of the user, to perform a function to the target system without knowledge of the targeted user, at least until the malicious action is over. Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. This kind of CSRF attacks can even compromise a whole web application.  Sites which are more likely to attack are community websites, or sites which are dealing with payments (Banks, Bill pay services or stock brokerages) Defending CSRF attacks There are mainly two ways to defend these kind of attacks. 1.By checking standard headers to verify the request is same origin.  2.By checking CSRF token In this post it shows how to secure login using a synchronizer token pattern. The login is created with hard-coded user name and password, without using a database. If valid login credentials provided new session will start and session identifier is created and set as a cookie in the browser. And at the same time server store it in the server side. The CSRF token is mapped to the session identifier. If valid credentials provided user can login. And if the wrong credentials provided, it displays a message saying Your username & password not correct After providing the correct credentials the generated generated session stored in the browser as a cookie. In the website, the implemented endpoint accepts HTTP POST requests and respond with the CSRF token. The endpoint receives the session cookie and based on the session identifier, return the CSRF token value.    The webpage is implemented using a HTML form. Method is POST and the action is another URL of the website, when the page loads, it executes an ajax call via a javascript which invokes the endpoint for obtaining the CSRF token created for the session  Once the page is loaded,  HTML form’s is modified and the hidden field has the value of the received CSRF token. Then HTML form is submitted to the action, in the server side, extract the received CSRF token value and check if it is the correct token issued for the particular session. By obtaining the session cookie and corresponding CSRF token for the session, and comparing them can identify the CSFR token is valid or not. If the CSRF token is valid successful message is displayed.  Changing the value of this CSRF it shows the error message. The following screenshots shows a simple demonstration, which prompt an error message. A simple project which demonstrate the above procedure is available in the following link. https://github.com/Vishie21/csrf-synchronizer-token-2018.git