[Owasp-leaders] CSRF unique per session or per action?

Pawel Krawczyk pawel.krawczyk at hush.com
Wed Aug 20 15:14:47 UTC 2014


Christian,

It depends on why and how it’s going to be implemented. Typical “per form” CSRF token would be a pain in AJAX based apps because you actually need to generate the pages on the server and embed the token. This is why cookie-to-header tokens are gaining popularity in AJAX apps - technically you’ve got a single token for the whole application, but the level of protection against CSRF attacks remains pretty much the same:

https://en.wikipedia.org/wiki/CSRF#Cookie-to-Header_Token


On 20 Aug 2014, at 16:00, Christian Papathanasiou <christian.papathanasiou at owasp.org> wrote:

> In an internal debate with a colleague who having read the OWASP CSRF cheat sheet wants to implement a static CSRF token across whole application. 
> 
> I'm trying to convince them otherwise as having a static CSRF  token rather than one that is generated on the fly per form submission would technically be akin to having a static otp. 
> 
> Keen to get your thoughts and if you tend to lean toward my view point would be keen to also see that the cheat sheet is updated  :-)
> 
> Kind regards,
> Christian
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 


-- 
Pawel Krawczyk
pawel.krawczyk at hush.com +44 7879 180015
CISSP, OWASP



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140820/3bd1d866/attachment-0001.pgp>


More information about the OWASP-Leaders mailing list