For securing forms, when do I issue the token?

Posted by AQuestionADayKeepsTheDrAway on Stack Overflow See other posts from Stack Overflow or by AQuestionADayKeepsTheDrAway
Published on 2010-06-03T16:51:17Z Indexed on 2010/06/03 16:54 UTC
Read the original article Hit count: 159

Filed under:
|

So, I have a form, to make it a little more secure and potentially help prevent CSRF attacks I want to add a random token value in a hidden field that value is also stored server side in my session data.

When should I issue a new token? Per form? Per page load where there is any form? Per session? I can render it invalid as soon as a form is successfully submitted but I'm wondering when to generate one.

I ask as if I issue it per form or per page do I not risk the chance of a duplicate token value overwriting the existing (valid) token if a user opens a separate window but submitting the first form (with the now overwritten value)?

© Stack Overflow or respective owner

Related posts about php

Related posts about csrf