New CSRF token per request or NOT?

Question

So I am reading around and was really confused about having a CSRF token, whetever I should generate a new token per each request, or just per hour or something?

Answer 1

Generally, it suffices to have one single token per user or per session. It is important that the token is bound to just one particular user/session and not globally used.

If you are afraid the token could get leaked to or get obtained by an attacking site (e. g. by XSS), you can limit the token’s validity to just a certain timeframe, a certain form/URL, or a certain amount of uses.

But limiting the validity has the drawback that it might result in false positives and thus restrictions in usability, e. g. a legitimate request might use a token that just have been invalidated as the token request is too long ago or the token has already been used too often.

So my recommendation is to just use one token per user/session. And if you want further security, use one token per form/URL per user/session so that if a token for one form/URL gets leaked the others are still safe.