I'm not going to draw you a picture but here's how it works in steps
1. Server generates one time random token (with an expiry time of around >= 20 mins)
2. Client serves token inside a hidden form input field.
3. When the submission is made the client token is checked against the server token and the expiry time.
4. The server then destroys the server side token if the request is valid or not and generates a new one.
There are a couple of pitfalls like a empty token request, the client serves a blank token and the server doesn't have a valid token generated if the attacker makes a request directly to the target operation without first making a request to generate a token. The expiry is required to stop token reuse by an attacker, also the token should be user specific to stop an attacker token being used by a user. You also have to make sure that the site cannot be framed since you can bypass any token see this attack [
www.thespanner.co.uk]
------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [
www.businessinfo.co.uk]
blog : [
www.thespanner.co.uk]
Hackvertor : [
hackvertor.co.uk]
