Does anyone see any downsides of doing the following to prevent CSRF?

I'm wondering if the following method will completely prevent CSRF, and be compatible with all users.

Here it is:

In the form just include an extra parameter that is: encrypted(user's userID + request time). Server-side just decrypt and make sure it's the right userID and the request time was reasonably recent.

Aside from someone sniffing the user's traffic or breaking the encryption, is this completely secure? Are there any downsides?

Solution

While your approach is safe it is not standard. The standard way to prevent CSRF attacks is to generate pseudo-random number that you include in a hidden field and also in a cookie and then on the server side you verify that both values match. Take a look at this post.

Why do people put code like "throw 1; <dont be evil>" and "for(;;);" in front of json responses?
Secure method to download files in Ruby
Amazon Web Services : Setting S3 policy to allow putObject and getObject but deny listBucket
Escaping strings for use in XML
Limiting the scopes of an OAuth 2.0 flow
How can I tell password managers what pattern to use?
Protecting against MitM (https) seeing password with encryption using included pub. key in iOS/Android app
Why are iframes considered dangerous and a security risk?
Vulnerabilities in spring-webmvc-5.3.39 to 5.3.40
Limit GraphQL Queries by Breadth
Securing a UDP connection
Cross Domain Form POSTing
How is PHP's mt_rand seeded?
Customize android app preview when it is in background with secure flag
Can a client-side login be safe?
How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
How to validate if a URL is an Okta domain?
How to make Google Analytics respond to "Do Not Track"
My Vercel API tokens leaked on GitHub. How do I regenerate them?
Implementing Custom Expression Handling with Spring Security 6
What are the security concerns for JSF?
App attestation failed with Firebase App check in release on Android
SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application
When should I use the deny access functions in Symfony 4.4 controllers?
Install two traefik ingress controller on same kubernetes Cluster
Logon events from within credential provider
How to give access to my API for a mobile app?
How to verify a JWKS's integrity and authenticity
Changes in the front-end (Vue.js) part of the PatrolHears project (open source code)
ECPrivateKey to ECPublicKey without BouncyCastle