[WEB SECURITY] CSRF and Header Forging - your thoughts needed

Bil Corry bil at corry.biz
Mon May 17 14:06:51 EDT 2010

Paul Johnston wrote on 5/16/2010 11:55 AM: 
> Is there any need to have a different token on each page? I don't think
> so. I've always recommended that the anti-CSRF token be generated at the
> same time as the session ID, and remain constant throughout the session.
> Sure, changing it may add a little security, but I don't think changing
> is necessary, not at all.

Rotating the token on every page can be messy; depending on how it's implemented, it will break the back button and will prevent legitimate use by those users that double-click links, buttons, etc.

- Bil

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list