Menu
Should I have short lifetime for my CSRF token or can I have it last for the length of the session?
832
Often sessions do expire within 60 minutes, so a session based CSRF token has something like that as well (albeit it behaves a bit differently as the timeout period extends with each interaction). However, after each hour, the session id should be regenerated as well to prevent sessions that can be kept open unlimited.
Make sure tokens can't be reused. Expire them after a short amount of time. Verify the received token is the same as the set token in a safe way, for example, compare hashes.
CSRF tokens are often bound to the user's session: while the user is logged in, they keep the same CSRF token. However, there are some security advantages to changing the CSRF token more often, or even on every request.
CSRF tokens should be generated on the server-side. They can be generated once per user session or for each request. Per-request tokens are more secure than per-session tokens as the time range for an attacker to exploit the stolen tokens is minimal.
A CSRF token is not an access token and does not have a lifetime like bearer tokens do. They are generated using session information.
csrf_token = HMAC(session_token, application_secret)
CSRF adds additional information to your requests that lets the server verify the requests comes from an authorized location.
It only affects requests where the authorization info is sent automatically by the browser (cookie auth or basic/digest scheme)
167
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
