New CSRF token per request or NOT?

后端未结

关注

 5  1286

不知归路 2020-11-29 00:11

So I am reading around and was really confused about having a CSRF token, whetever I should generate a new token per each request, or just per hour or something?

5条回答

一整个雨季 (楼主)

2020-11-29 01:07
At owasp site it mentions that

Per-request tokens are more secure than per-session tokens as the time range for an attacker to exploit the stolen tokens is minimal. However, this may result in usability concerns.

And it concludes that
CSRF tokens should be:
- Unique per user session.
- Secret
- Unpredictable (large random value generated by a secure method).
0 讨论(0)

查看其它5个回答
发布评论:

提交评论
- 加载中...