8

I am using a form token to prevent CSRF attacks. Those tokens are stored and tied to a user's session. Now I want to refresh the token only every N minutes or hours so that the user's don't experience any usability issues like the browser Back button not working properly.

My question is, what would be a good time period before refreshing the user session token?

Kid Diamond
  • 377
  • 3
  • 13
  • I would say around 20 minutes. –  Apr 23 '14 at 14:29
  • "I would say around 350 minutes", no, seriously @edvinas.me, why have you just selected that number? I believe that number is just out of the blue"... – kiBytes Apr 23 '14 at 14:32
  • Because 20 minutes is reasonable maximum amount of time for someone to fill most of the forms. My answer is of the same quality as the question. –  Apr 23 '14 at 14:49

2 Answers2

9

My recommendation: Never.

You should only have one CSRF token per session. If the session times out, then the CSRF token expires at this point.

As there is no way for an attacker to read the CSRF token (at least there's no more of a risk of an attacker reading a CSRF token as the Session ID cookie), there is no need to generate a new one unless you have a new session to go with it.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
1

Well you should study your personal stats. You should ask yourself the following questions:

  1. How much time does an user spend in your system?
  2. What is the usability impact not changing it in a session?
  3. What is your expiring session time? ...

Nobody here can answer those questions (among others) better than yourself.

kiBytes
  • 3,450
  • 15
  • 26