[Owasp-csrfguard] difference between session tokens and csrf tokens

Normando Macaraeg nmacaraeg at jaspersoft.com
Fri Jul 1 15:15:00 EDT 2011

Please forgive me if this is a silly question, but unfortunately I could
not give my team a clean answer to this question.  The question was "What
is the difference between a session token and a CSRF token (as generated
by CSRFGuard)?"


My understanding is that a session token is unique per user connection.


On the other hand, CSRFGuard tokens are injected into all HTML forms, all
src and href attributes in each page presented to the user.  Additionally,
a CSRF prevention token can be generated per session, if configured to do
so.  Isn't this CSRF session token basically the same as the web app
session token?  Or am I comparing apples to oranges?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110701/1d3d08bf/attachment.html 

More information about the Owasp-csrfguard mailing list