[WEB SECURITY] Improved double submit csrf prevention

James Manico jim at manico.net
Fri Apr 29 11:03:11 EDT 2011


> James Manico states that: "I think one token per session is a reasonable
tradeoff for a framework

Let me clarify. I'd rather see one CSRF token per request but such a feature
is more complex to implement and tends to break stuff. For a framework (like
struts) I think one CSRF token per session is a reasonable design decision.
Even better, support both (at the framework level again) and let the dev
configure which one is active.

Jim Manico

On Apr 28, 2011, at 7:48 AM, Richard Hauswald <
richard.hauswald at googlemail.com> wrote:

James Manico states that: "I think one token per session is a
reasonable tradeoff for a framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110429/43bd5b51/attachment-0003.html>


More information about the websecurity mailing list