To confirm that the form was sent by the user, a mechanism is used: when sending a page, a cookie is set to the user with a random value and the same value is embedded in the hidden-field in the HTML form. If such an operation has already been performed (the cookie is already set), the value for the hidden field is taken from it. When a request is received, the server checks the values ​​of the Cookie and the hidden field.

Does it make sense to write a hashed value in a hidden field? That is, will it increase safety in general?

And is the circuit itself safe? The token has not been changed since it was installed in the cookie.

  • If the user opens 2 tabs, the first one will be invalid, since the cookie will have a value from another tab. - Zergatul
  • @Zergatul, Cookie has not changed since installation. I forgot to write that if the Cookie exists, we take the value for the hidden field from it. - Andrei
  • @Zergatul, but now I realized that writing a hash to a cookie does not make sense. - Andrei

0