[Owasp-leaders] CSRF unique per session or per action?

Abbas Naderi abbas.naderi at owasp.org
Wed Aug 20 15:02:38 UTC 2014


Anything that can be known beforehand is not safe. We have two projects implementing CSRF protection, OWASP CSRF Protector and OWASP CSRF Guard. You can take idaes from those.
-A
On Aug 20, 2014, at 11:00 AM, Christian Papathanasiou <christian.papathanasiou at owasp.org> wrote:

> In an internal debate with a colleague who having read the OWASP CSRF cheat sheet wants to implement a static CSRF token across whole application. 
> 
> I'm trying to convince them otherwise as having a static CSRF  token rather than one that is generated on the fly per form submission would technically be akin to having a static otp. 
> 
> Keen to get your thoughts and if you tend to lean toward my view point would be keen to also see that the cheat sheet is updated  :-)
> 
> Kind regards,
> Christian
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list