[OWASP-Bangalore] Need help on CSRF

Kannan, Vinod K vinod.k.kannan at jpmorgan.com
Wed May 21 12:53:57 UTC 2014

The whole idea of having the CSRF token is to have a unique identifier per request so that the requests are not forged. That is the reason that every request should have a fresh token. If it is a single token for a session then there is no reason that we should have one at all, the session itself would have sufficed.

Vinod Kannan
PMP, Sun Certified Enterprise Arch(SCEA) for Java, SSCP
Digital Information Technology Risk
Office: 614-785-7486 |Mobile: 614-804-0328 | Email: vinod.k.kannan at jpmorgan.com

From: owasp-bangalore-bounces at lists.owasp.org [mailto:owasp-bangalore-bounces at lists.owasp.org] On Behalf Of Nagasahas Dasa
Sent: Wednesday, May 21, 2014 7:16 AM
To: owasp-bangalore at lists.owasp.org; null-co-in at googlegroups.com
Subject: [OWASP-Bangalore] Need help on CSRF

Hey Guys,

I have a small confusion, CSRF Token is used to make sure that the request is generated for the same domain right and CSRF tokens are generated dynamically for each request. Am I right on this?

In that case what are the disadvantages/impact of having CSRF token created once during a log in and the same token is used through out the session.

Thanks in advance! :)

Nagasahas Dasa
Mobile: +91-9900027100
Blog: http://solidmonster.com

This email is confidential and subject to important disclaimers and conditions including on offers for the purchase or sale of securities, accuracy and completeness of information, viruses, confidentiality, legal privilege, and legal entity disclaimers, available at http://www.jpmorgan.com/pages/disclosures/email.  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20140521/9e6c8b9a/attachment.html>

More information about the OWASP-Bangalore mailing list