On a PHP project I'm working on, I'd like to implement an anti XSRF mechanism. I'm generating a random token and I store it in my session $_SESSION['token']
. When I submit a form, I include my session token in a hidden field and verify if the transmitted token == stored token
.
My question is, What is the security impact if I store this token in a cookie ?
I think both solutions are exploitable in case of XSS
for example, and I'm not able to see which storage is the best for the token.
Thanks for you help.