[WEB SECURITY] CSRF and Header Forging - your thoughts needed

Paul Johnston paul.johnston at pentest.co.uk
Sun May 16 14:55:09 EDT 2010


Hi,

Is there any need to have a different token on each page? I don't think
so. I've always recommended that the anti-CSRF token be generated at the
same time as the session ID, and remain constant throughout the session.
Sure, changing it may add a little security, but I don't think changing
is necessary, not at all.

Paul

-- 
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list