client generated double submit cookie, cross site request forgery prevention

in a double-submitted cookie csrf prevention scheme, is it necessary for the server to provide the cookie?

it seems i could have javascript on the clients page generate a开发者_高级运维nd set a cookie "anti_csrf", then double submit that (once as a cookie, done by the browser, and once in the body of the request).

a foreign domain would not be able to read or write the "anti_csrf" cookie to include it in the body of a request.

is this secure, or am i overlooking something?

Tgr, read this:

http://jazzy.id.au/default/2010/09/20/cracking_random_number_generators_part_1.html

All the attacker needs is to get a token or two out of the random number generator, and then they can predict every subsequent and every previous random number if it's not cryptographically secure. If the random number generation is done client side in Javascript, I don't know of a single browser that uses a cryptographically secure random number generator, so they simply have to call Math.random() a few times and they can work out what token was generated for your cookie.

If the user already has the "anti_csrf" cookie set for your domain, then the CSRF attacker is home free! The HTTP request will go out with the cookie, and of course it's easy to include the parameter in the POST if you know what the value is.

The cookie name doesn't have to be a secret, but the cookie value has to be a hard-to-guess secret known only to the user session. That way, the attacker does not know (and cannot guess) what to put in an attacking HTTP transaction.

If you put the code on the page that makes up the cookie value, then you have to assume that the attacker can get his/her own session at your site (that is, a valid "real" login) and examine the code directly. If it's easy to figure out how the cookie value is generated client-side (and, for just about any client-side solution known to man, it will be), then again the attacker can have their attacking page include the right parameter value in an attack POST.

On the first glance it seems safe, but it will mean users without javascript cannot use your forms.