Frage
I have recently read about csrf tokens. I am using YII framework to develop my project. I enabled csrf validation in config/main.php and yii is putting a token in a hidden form field. And checking if the token is valid. Everything is fine. But I have observed that the value of CSRF token is not changing when I refresh and all the forms in a page are using same token.
This puzzled me. If csrf token is not changing then any hacker can use that token in his request also and will be able to produce a valid request. Then how can csrf token offer security? Is it a problem with YII framework? Or did I miss some thing? I hope I did miss something. If we have to generate tokens manually please let me know how to generate and validate(preferably in YII framework)
Lösung
implement Csrf token generation per session. check
how the hacker will get token generated to your session?
there is also a procedure for per request token generation, but i think that is not good approach in yii. problem with per request token generation
https://stackoverflow.com/questions/13599240
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian