Session Riding
Also Known As
CSRF
session riding attack
cross-site request forgery via session
TL;DR
An alternative term for CSRF — the attacker 'rides' the victim's authenticated session to perform actions on their behalf.
Explanation
Session riding emphasises the mechanism of CSRF: the attacker's request piggybacks on the victim's existing browser session. Unlike session hijacking (which steals the session token), session riding leaves the token with the legitimate user — it simply abuses the browser's automatic cookie inclusion in cross-origin requests. The term is used interchangeably with CSRF in some literature. Defences are identical: SameSite cookies, synchronised CSRF tokens, and Origin/Referer header validation.
Common Misconception
✗ Session riding and CSRF are different attacks. They are the same attack described from different angles — session riding emphasises the attacker hijacking the authenticated session; CSRF emphasises forging the cross-site request.
Why It Matters
Session riding (CSRF) exploits the browser's automatic cookie sending — a forged request from a malicious page uses the victim's authenticated session to perform actions they did not initiate.
Common Mistakes
- No CSRF token on state-changing forms and API endpoints.
- CSRF tokens that are not rotated per session or per request.
- Same CSRF token for all users — a leaked token compromises all users.
- Not validating the CSRF token server-side — client-side validation only is bypassable.
Code Examples
✗ Vulnerable
// No CSRF protection — any site can submit this form on behalf of the user:
<form method="POST" action="/transfer">
<input name="to" value="attacker">
<input name="amount" value="1000">
</form>
// Attacker hosts: <form id='f' ...></form><script>f.submit()</script>
// Victim visits attacker page → transfer executes using victim's session
✓ Fixed
// Session riding = CSRF exploiting the session cookie
// 1. SameSite=Strict — blocks cross-site cookie submission
ini_set('session.cookie_samesite', 'Strict');
// 2. CSRF token in every state-changing form
\$_SESSION['csrf'] = bin2hex(random_bytes(32));
// <input type="hidden" name="_csrf" value="<?= \$_SESSION['csrf'] ?>">
if (!hash_equals(\$_SESSION['csrf'], \$_POST['_csrf'] ?? '')) abort(403);
// 3. Verify Origin header for AJAX
\$origin = \$_SERVER['HTTP_ORIGIN'] ?? '';
if (parse_url(\$origin, PHP_URL_HOST) !== 'yourapp.com') abort(403);
// 4. Re-authenticate for sensitive actions (transfers, email change, delete)Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
25
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Amazonbot 5
Perplexity 4
Google 3
Unknown AI 2
SEMrush 2
Ahrefs 1
Also referenced
How they use it
crawler 15
crawler_json 1
pre-tracking 1
Related categories
⚡
DEV INTEL
Tools & Severity
🔴 Critical
⚙ Fix effort: Medium
⚡ Quick Fix
Session riding is another term for CSRF — an attacker 'rides' the victim's authenticated session to perform actions; the fix is the same: synchronizer CSRF tokens plus SameSite cookies
📦 Applies To
PHP 5.0+
web
api
🔍 Detection Hints
State-changing requests without CSRF token; session cookie without SameSite attribute; GET endpoint with side effects
Auto-detectable:
✓ Yes
owasp-zap
semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High
False Positives: Low
✗ Manual fix
Fix: Medium
Context: File
Tests: Update
CWE-352