[WEB SECURITY] Improved double submit csrf prevention
jim at manico.net
Fri Apr 29 11:03:11 EDT 2011
> James Manico states that: "I think one token per session is a reasonable
tradeoff for a framework
Let me clarify. I'd rather see one CSRF token per request but such a feature
is more complex to implement and tends to break stuff. For a framework (like
struts) I think one CSRF token per session is a reasonable design decision.
Even better, support both (at the framework level again) and let the dev
configure which one is active.
On Apr 28, 2011, at 7:48 AM, Richard Hauswald <
richard.hauswald at googlemail.com> wrote:
James Manico states that: "I think one token per session is a
reasonable tradeoff for a framework
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity