To protect forms, when do I issue a token?

Question

To protect forms, when do I issue a token?

So, I have a form to make it safer and potentially help prevent CSRF attacks. I want to add a random token value to a hidden field whose value is also stored on the server side in my session data.

When should I issue a new token? In the shape of? The load on the page where there is some form? Per session? I can make it invalid once the form is successfully submitted, but I wonder when to create it.

I ask, as if I gave it to a form or page, I do not risk being able to duplicate the token by overwriting the existing (valid) token, if the user opens a separate window, but sends the first form (with the value now rewritten)?

+3

php csrf

AQuestionADayKeepsTheDrAway Jun 03 '10 at 16:51

source share

2 answers

Lotus notes · Answer 1 · 2010-06-03T17:10:45+0000

The easiest way to prevent concurrency problems is to generate it only once for login. The likelihood that an attacker “guesses” your CSRF is equally likely (or lower) since they steal your PHPSESSID. You can also regenerate it every time you change the level of access to the user, for example, after changing the password or something else.

If you want to be very thorough, you can create and store an array of tokens, one for each form on the website. But if they can steal the CSRF token, they could just steal the session identifier and do real damage.

Wesam Alalem · Answer 2 · 2010-11-07T10:17:26+0000

, ( ).
, , .
, . , - .

, , , CSRF: http://shiflett.org/articles/cross-site-request-forgeries

To protect forms, when do I issue a token?

More articles: