问题
From my lecture on owasp.org they recommend the synchronizer token pattern and don't encourage using double submit cookies.
The synchronizer token pattern involves the use of a session. I have reasons to NOT want to use sessions (poor performance in high traffic environment and they are hard to share across multiple machines). So as i am left with the double submit cookies, i need to understand why they might not be as secure as the session approach.
The owasp.org article mentions XSS as a potential problem (because inclusion of the session ID in the form HTML can be read via JS), but that issue can happen with the syncronizer tokens as well (since they are too included into the forms as hidden fields). In short XSS renders any CRSF protection useless (and if you allow XSS then probably CSRF isn't your biggest problem).
So are there any reasons i should stay away from double submit cookies?
来源:https://stackoverflow.com/questions/9676837/sesionless-csrf-protection-double-submit-cookies