使用npm csurf时,是否应该可以在同一会话中重复使用csrf令牌?
[英]Should I be able to re-use csrf tokens within the same session when using npm csurf?
问题描述
When using csurf I've noticed that if I present a previously generated and used csrf token, it is still accepted as a valid token (within the same session). 
使用csurf时,我注意到,如果我提供一个先前生成并使用过的 csrf令牌,它仍被视为有效令牌(在同一会话中)。
Should this be the case or am I using it wrong? 是这种情况还是我使用错了? I would have expected a used csrf token to become invalidated (so it can only be used once per session id). 我希望使用的csrf令牌失效(因此每个会话ID只能使用一次)。
My code looks something like this: 我的代码如下所示:
var express = require('express');
var bodyParser = require('body-parser');
var csurf = require('csurf');
app.use(csurf());
app.use(function (req, res, next) {
res.locals.csrfToken = req.csrfToken();
next();
});
1 个解决方案
解决方案1
1 2017-03-27 09:24:10
According to OWASP : "Synchronizer (CSRF) Tokens (are) Unique per user session" which I take to mean that they are tied to the session . 根据OWASP的说法:“同步器(CSRF)令牌在每个用户会话中都是唯一的”,我的意思是将它们绑定到该会话 。 This means that it is possible to re-use a token from the same session. 这意味着可以重用同一会话中的令牌。 Hence the answer to the question is 'yes'. 因此,问题的答案是“是”。
It seems then that npm csurf is using a standard best practice by allowing the re-use of csrf tokens within the same session (even after they have been consumed once). 看来npm csurf正在使用一种标准的最佳实践,即允许在同一会话内重复使用csrf令牌(即使在它们被消耗了一次之后)。
Relevant part from OWASP: OWASP的相关部分:
Synchronizer (CSRF) Tokens 同步器(CSRF)令牌
Any state changing operation requires a secure random token (eg, CSRF token) to prevent CSRF attacks
Characteristics of a CSRF Token CSRF代币的特征
- Unique per user session 每个用户会话唯一
- Large random value 大随机值
- Generated by a cryptographically secure random number generator 由密码安全的随机数生成器生成
The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs via a GET The server rejects the requested action if the CSRF token fails validation
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.