[英]Should I be able to re-use csrf tokens within the same session when using npm csurf?
When using csurf I've noticed that if I present a previously generated and used csrf token, it is still accepted as a valid token (within the same session). 使用csurf时,我注意到,如果我提供一个先前生成并使用过的 csrf令牌,它仍被视为有效令牌(在同一会话中)。
Should this be the case or am I using it wrong? 是这种情况还是我使用错了? I would have expected a used csrf token to become invalidated (so it can only be used once per session id).
我希望使用的csrf令牌失效(因此每个会话ID只能使用一次)。
My code looks something like this: 我的代码如下所示:
var express = require('express');
var bodyParser = require('body-parser');
var csurf = require('csurf');
app.use(csurf());
app.use(function (req, res, next) {
res.locals.csrfToken = req.csrfToken();
next();
});
According to OWASP : "Synchronizer (CSRF) Tokens (are) Unique per user session" which I take to mean that they are tied to the session . 根据OWASP的说法:“同步器(CSRF)令牌在每个用户会话中都是唯一的”,我的意思是将它们绑定到该会话 。 This means that it is possible to re-use a token from the same session.
这意味着可以重用同一会话中的令牌。 Hence the answer to the question is 'yes'.
因此,问题的答案是“是”。
It seems then that npm csurf is using a standard best practice by allowing the re-use of csrf tokens within the same session (even after they have been consumed once). 看来npm csurf正在使用一种标准的最佳实践,即允许在同一会话内重复使用csrf令牌(即使在它们被消耗了一次之后)。
Relevant part from OWASP: OWASP的相关部分:
Synchronizer (CSRF) Tokens 同步器(CSRF)令牌
Any state changing operation requires a secure random token (eg, CSRF token) to prevent CSRF attacks
任何状态更改操作都需要安全的随机令牌(例如CSRF令牌)以防止CSRF攻击
Characteristics of a CSRF Token CSRF代币的特征
The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs via a GET The server rejects the requested action if the CSRF token fails validation
如果通过GET进行状态更改操作,则CSRF令牌将添加为表单的隐藏字段或URL中的隐藏字段。如果CSRF令牌验证失败,服务器将拒绝请求的操作
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.