Too many CSRF tokens generated (PHP), how do I deal with them?

Question

I run into a problem. Following OWASP cheatsheet, I implemented a one-time-use CSRF token system in PHP (basically copy&paste from OWASP). Each form or link (link that generate some action) will create its own CSRF token, once it's used, it will be deleted. Application is a website, so multiples tabs could be opened at the same time.

The problem is that each time it load a page, it create a new CSRF token (even if you just hit reload and not send the form). For example, in the admin panel, there's a list of the items, each item could be deleted with a link which have a CSRF token (same CSRF token for all links), but if you reload the page, a new csrf is generated.

At the end of the day, I ended with more un-used tokens than I wanted to. This is a problem in certain servers.

TLDR; I generate a token per request. I deleted all used token (except for ajax request tokens, that after an hour I delete then). My problem is with UNUSED tokens, at the end of the day, there're too many of them.

Answer 1

There is no (practical) way of knowing if your user will still use the token or not. Thus, you will have to automatically delete (and thus invalidate) them after x hours, for example by using a cronjob.

Just a suggestion: Are you sure that you really need one-time tokens? OWASP themselves say that it is not absolutely necessary for security: "In general, developers need only generate this token once for the current session. [...]) (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet).

Keep in mind that one-time tokens also make tabbed browsing or using the browser history a huge pain.