Frage
I was trying to implement CSRF Protection in my new Project. I did the same using creating a session token for every form and the token is stored in a hidden field in the form. Every time the form gets submitted, i check whether the token in the POST and token in the session are the same. If they are the same the required action is done and the session token is updated.
It works well but the actual problem arises when we refresh the submitted page. Token mismatch then occurs.
My question is, is it secure using a single token for each form, and without updating the token for every form submit? Will this be able to prevent CSRF?
Lösung
Yes, there is no need to update the CSRF token. It just needs to be unique per user session.
As there is no way for an attacker to read the value of the hidden form field, the same value can be reused during the session. No extra security is accomplished by renewing this value.
However, it should definitely be a unique value per user session. Different users should have different tokens, and if the same user logs in again it would be a good idea to expire the previous token.
https://stackoverflow.com/questions/20944265
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian