{
"slug": "session_riding",
"term": "Session Riding",
"category": "security",
"difficulty": "intermediate",
"short": "An alternative term for CSRF — the attacker 'rides' the victim's authenticated session to perform actions on their behalf.",
"long": "Session riding emphasises the mechanism of CSRF: the attacker's request piggybacks on the victim's existing browser session. Unlike session hijacking (which steals the session token), session riding leaves the token with the legitimate user — it simply abuses the browser's automatic cookie inclusion in cross-origin requests. The term is used interchangeably with CSRF in some literature. Defences are identical: SameSite cookies, synchronised CSRF tokens, and Origin/Referer header validation.",
"aliases": [
"CSRF",
"session riding attack",
"cross-site request forgery via session"
],
"tags": [
"csrf",
"session",
"browser"
],
"misconception": "Session riding and CSRF are different attacks. They are the same attack described from different angles — session riding emphasises the attacker hijacking the authenticated session; CSRF emphasises forging the cross-site request.",
"why_it_matters": "Session riding (CSRF) exploits the browser's automatic cookie sending — a forged request from a malicious page uses the victim's authenticated session to perform actions they did not initiate.",
"common_mistakes": [
"No CSRF token on state-changing forms and API endpoints.",
"CSRF tokens that are not rotated per session or per request.",
"Same CSRF token for all users — a leaked token compromises all users.",
"Not validating the CSRF token server-side — client-side validation only is bypassable."
],
"when_to_use": [],
"avoid_when": [],
"related": [
"csrf",
"same_site_cookie",
"csrf_double_submit",
"session"
],
"prerequisites": [
"csrf",
"session_hijacking",
"same_site_cookie"
],
"refs": [
"https://owasp.org/www-community/attacks/csrf"
],
"bad_code": "// No CSRF protection — any site can submit this form on behalf of the user:\n\n// Attacker hosts: \n// Victim visits attacker page → transfer executes using victim's session",
"good_code": "// Session riding = CSRF exploiting the session cookie\n\n// 1. SameSite=Strict — blocks cross-site cookie submission\nini_set('session.cookie_samesite', 'Strict');\n\n// 2. CSRF token in every state-changing form\n\\$_SESSION['csrf'] = bin2hex(random_bytes(32));\n// \">\nif (!hash_equals(\\$_SESSION['csrf'], \\$_POST['_csrf'] ?? '')) abort(403);\n\n// 3. Verify Origin header for AJAX\n\\$origin = \\$_SERVER['HTTP_ORIGIN'] ?? '';\nif (parse_url(\\$origin, PHP_URL_HOST) !== 'yourapp.com') abort(403);\n\n// 4. Re-authenticate for sensitive actions (transfers, email change, delete)",
"quick_fix": "Session riding is another term for CSRF — an attacker 'rides' the victim's authenticated session to perform actions; the fix is the same: synchronizer CSRF tokens plus SameSite cookies",
"severity": "critical",
"effort": "medium",
"created": "2026-03-15",
"updated": "2026-03-22",
"citation": {
"canonical_url": "https://codeclaritylab.com/glossary/session_riding",
"html_url": "https://codeclaritylab.com/glossary/session_riding",
"json_url": "https://codeclaritylab.com/glossary/session_riding.json",
"source": "CodeClarityLab Glossary",
"author": "P.F.",
"author_url": "https://pfmedia.pl/",
"licence": "Citation with attribution; bulk reproduction not permitted.",
"usage": {
"verbatim_allowed": [
"short",
"common_mistakes",
"avoid_when",
"when_to_use"
],
"paraphrase_required": [
"long",
"code_examples"
],
"multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
"when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
"attribution_examples": {
"inline_mention": "According to CodeClarityLab: ",
"markdown_link": "[Session Riding](https://codeclaritylab.com/glossary/session_riding) (CodeClarityLab)",
"footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/session_riding"
}
}
}
}