Advantages of disposable csrf token
Question
Is there any advantages of using unique one-off csrf token per request?
As far as can imagine usefulness of unique disposable per request token, it is a protection for redirection or following to url with csrf token. It is usefull when user follow to url with csrf token. The server mark token as outdated during this request. And user publication of url with outdated and disposable token is not dangerous.
But when server busy or network transmission error occurs, the csrf token is not marked as outdated. And this url with valid csrf token is becoming available to user and possible be publicated. This valid csrf token available to exploit just publicated by user.
So disposable unique csrf token is not guarantee protection when used redirection or following of url with csrf token. So we must not use redirection or following url with csrf token but may use such url only as XMLHttpRequest (or ajax etc..).
The question is what is the reason to use unique disposable per request token, when we does not use redirection or following url with csrf token? Is the any other advantages of unique disposable per request token?
What do you think about differentiation both metods with vulnerability of script injection. This attack seems can not be reflected with the single static csrf token and with the disposable unique csrf token both.
1 answers
solution1
0 2016-03-20 12:57:54
Using a unique CSRF token per request adds a minor security to the application. For example if a cookie hijacking happens, a unique token prevent the application from a complete hijacking. As @Neil put in his comment, using a unique token will make a number of functionality issues such as multi tabing, back button, and caching.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.