CSRF tokens - how to implement properly?

php security csrf
10,127

Solution 1

You can do either. It depends on the level of security you want.

The OWASP Enterprise Security API (ESAPI) uses the single token per user session method. That is probably a pretty effective method assuming you have no XSS holes and you have reasonably short session timeouts. If you allow sessions to stay alive for days or weeks, then this is not a good approach.

Personally, I do not find it difficult to use a different token for each instance of each form. I store a structure in the user's session with key-value pairs. The key for each item is the ID of the form, the value is another structure that contain the token and an expiry date for that token. Typically I will only allow a token to live for 10-20 minutes, then it expires. For longer forms I may give it a long expiry time.

If you want to be able to support the same form in multiple browser tabs in the same session, then my method becomes a little trickery but could still be easily done by having unique form IDs.

Solution 2

The OWASP Cheat Sheet has the most definitive answers for this sort of thing. It discusses different approaches and balancing of security vs. usability.

In brief they recommend having a single token per (browser) session. In other words in your case the same token is shared among tabs. The cheat sheet also emphasizes that it is very important not to expose your site to cross site scripting vulnerabilities, as this subverts the per session CSRF token strategy.

Share:
10,127
Industrial
Author by

Industrial

I just want to lie on the beach and eat hot dogs. That’s all I’ve ever wanted. Really.

Updated on July 01, 2022

Comments

  • Industrial
    Industrial almost 2 years

    I've just setup a simple CSRF protection in my application. It creates a unique crumb which are validated against a session value upon submitting a form.

    Unfortunately this means now that I can't keep multiple instances (tabs in the browser) of my application open simultaneously as the CSRF crumbs collide with each other.

    Should I create an individual token for each actual form or use a mutual, shared crumb for all my forms? What are common sense here?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

what is the difference between X-XSRF-TOKEN and X-CSRF-TOKEN?
How to properly add cross-site request forgery (CSRF) token using PHP
php not redirecting and logging in
access laravel app from android app with csrf token
CSRFGuard : required token is missing from the request
A better SQL string sanitization function
MIME Type spoofing
Invalid CSRF Token in POST request
Symfony2 Authentication "login_check" path not found
ERROR: WSDL - SOAP-ERROR: Parsing WSDL: Couldn't load from