New CSRF token per request or NOT?

后端未结

关注

 5  1292

不知归路 2020-11-29 00:11

So I am reading around and was really confused about having a CSRF token, whetever I should generate a new token per each request, or just per hour or something?

5条回答

没有蜡笔的小新 (楼主)

2020-11-29 00:54
The answer to your question is: it depends.

And you don't need to use session for timed tokens, you can just use the server-time and a secret key on the server.

But let's say it's better to generate a token each hour, then I would need two sessions: token, expiration,

No, you need a routine that is able to generate a token for a time-frame. Let's say you divide time per 30 minutes. The you create one token for the current 30 minutes in the form.

When then form is submitted and you verify the token against for now and against the previous 30 minute period. Therefore a token is valid for 30 minutes up to one hour.
```
$token = function($tick = 0) use($secret, $hash) {
    $segment = ((int) ($_SERVER['REQUEST_TIME'] / 1800)) + $tick;
    return $hash($secret . $segment);
};
```
0 讨论(0)

查看其它5个回答
发布评论:

提交评论
- 加载中...