通过浏览器的刷新按钮重新提交表单时,csrf令牌不匹配
[英]csrf token doesn't match in form re-submission through browser's refresh button
问题描述
I have a csrf token that I send within a form and also store it in the session so I can verify if they are equal when the form is submitted. 
我在表单中发送了一个csrf令牌,并将其存储在会话中,以便在提交表单时可以验证它们是否相等。
The csrf token is generated on every page load, which means the csrf token in the session is changing as well. 每次页面加载时都会生成csrf令牌,这意味着会话中的csrf令牌也会发生变化。 however when I re-submit the form with the browser "refresh" button, it sends the old token which throw an error.. 但是,当我使用浏览器的“刷新”按钮重新提交表单时,它会发送旧的令牌,从而引发错误。
Is there a way to change the token in the cached browser data ? 有没有办法更改缓存的浏览器数据中的令牌?
1 个解决方案
解决方案1
1 2017-01-02 14:32:58
No. It isn't even cached data, you're asking the browser to repeat the previous request. 不。它甚至不是缓存的数据,您是在要求浏览器重复上一个请求。
You might be able to avoid the problem by using the PGR pattern so that the refresh just loads a display page and doesn't resubmit the form data for processing. 您可能可以通过使用PGR模式来避免该问题,以便刷新仅加载显示页面,而无需重新提交表单数据进行处理。
That said, it is generally considered fine to generate the token once per session rather than on every page load. 也就是说,通常认为每个会话一次生成令牌而不是在每次页面加载时生成令牌是可以的 。 This would also solve problems with people accessing the site in two tabs at once. 这也可以解决人们同时访问两个标签中的站点的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.