[Owasp-leaders] CSRF unique per session or per action?

Christian Papathanasiou christian.papathanasiou at owasp.org
Wed Aug 20 15:00:04 UTC 2014

In an internal debate with a colleague who having read the OWASP CSRF cheat sheet wants to implement a static CSRF token across whole application. 

I'm trying to convince them otherwise as having a static CSRF  token rather than one that is generated on the fly per form submission would technically be akin to having a static otp. 

Keen to get your thoughts and if you tend to lean toward my view point would be keen to also see that the cheat sheet is updated  :-)

Kind regards,

More information about the OWASP-Leaders mailing list