For securing forms, when do I issue the token?
Posted
by AQuestionADayKeepsTheDrAway
on Stack Overflow
See other posts from Stack Overflow
or by AQuestionADayKeepsTheDrAway
Published on 2010-06-03T16:51:17Z
Indexed on
2010/06/03
16:54 UTC
Read the original article
Hit count: 159
So, I have a form, to make it a little more secure and potentially help prevent CSRF attacks I want to add a random token value in a hidden field that value is also stored server side in my session data.
When should I issue a new token? Per form? Per page load where there is any form? Per session? I can render it invalid as soon as a form is successfully submitted but I'm wondering when to generate one.
I ask as if I issue it per form or per page do I not risk the chance of a duplicate token value overwriting the existing (valid) token if a user opens a separate window but submitting the first form (with the now overwritten value)?
© Stack Overflow or respective owner