Is it a good practice to recreate the CSRF Token once its been used (basically create a new taken after a post request is sent)? Or it an unnecessary measure to take? My current system is recreating the token after each post/delete/put request and currently its causing me some serious trouble with a part of my code where I need to make multiple POST requests one after another, and since the system restarts the token as it starts the POST request, the other requests get "Invalid Token" error.
Asked
Active
Viewed 256 times
1 Answers
5
I think you should only create/change the token on every user login. If you change the token mid-session, it will invalidate all the links the user could have opened on new windows. And you will have lots of confused users.
If you think about it, there's no addition to security by changing the token. If any attacker cannot guess the first tag, s/he will not be able to guess the new one. If the first token is guessable, any other token will be too.
ThoriumBR
- 50,648
- 13
- 127
- 142
-
This approach also minimizes complexity of the implementation. Keeping the implementation simple reduces the likelihood of implementation flaws that can result in additional vulnerabilities. – atk Sep 05 '14 at 01:08