Forms protected against CSRF by default

5 years ago

David Grudl
Nette Core | 6797

What do you think about the following (implementation-easy) way?

Nette will automatically send token in cookie named __csrfs with expiration 0 (end of session) and
all POST forms will always send a hidden field __csrf with the same token (masked against breach attack). On very low level (RequestFactory?) tokens will be checked, whether they exist and are the same, and if not, error 403 will be thrown.


  • provides automatic protection for all forms, without the need to call addProtection()
  • does not depend on session
  • current error message (Please submit this form again) is actually antipattern :-(
  • tokens in a cookie (unlike in HTML) do not requires to change templates and are resistant to breach attack


  • manually rendered forms without Latte will not work (note that </form n:name> and {/form} in Latte automatically renders all HiddenFields, so I am talking about very special kind of rendering.)
  • disclosure of cookie token via XSS is a little bit easier, because is available on all pages. (It can be protected via HttpOnly but still exists problem with session hijacking, see below.)