[Owasp-leaders] CSRF unique per session or per action?

Jim Manico jim.manico at owasp.org
Wed Aug 20 15:14:49 UTC 2014

At absolute minimum, a CSRF token needs to be random and unique per
each user session.  That means that no two users will have the same
CSRF token and the same user will have a different token each time
they log on. And yes, many frameworks provide a different token per
page or per form.

And to address your debate, any kind of static or predictable token is
doomed to failure.

Also keep in mind that tokens are just one part of CSRF defense.

1) Also be fully resistant to XSS, an XSS vuln can undermine just
about any CSRF defense.

2) Re-authentication helps.

3) You can also check for bad referrer headers as part of CSRF
intrusion detection. (but referrer checking is not a complete defense)

4) Also consider the double-submit-cookie (or triple-submit-cookie)
defense for stateless CSRF defense needs.

Happy to expand on any of this as you see fit.

Jim Manico
(808) 652-3805

> On Aug 20, 2014, at 10:01 AM, Christian Papathanasiou <christian.papathanasiou at owasp.org> wrote:
> In an internal debate with a colleague who having read the OWASP CSRF cheat sheet wants to implement a static CSRF token across whole application.
> I'm trying to convince them otherwise as having a static CSRF  token rather than one that is generated on the fly per form submission would technically be akin to having a static otp.
> Keen to get your thoughts and if you tend to lean toward my view point would be keen to also see that the cheat sheet is updated  :-)
> Kind regards,
> Christian
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list