-1

I have been reading up on how CSRF Tokens are implemented to prevent CSRF attacks. The OWASP page (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) and various articles state that one can generate a random unique token either on a per page basis or a per session basis. (of which they recommend generating it once per sessions)

If only one token is generated per session, then wouldn't that mean that all form pages using tokens for that session will have to have the same token every time the page is loaded (whenever say it is refreshed)? But in most implementations I have seen each load for the form has a different random token.

How does it work? After every successful check at the server side, is the CSRF token present in the session invalidated?

I just wanted to know if I am understanding this right. I read many similar questions on Stackoverflow and other blogs but I am still confused.

Thanks !!

Kevin
  • 635
  • 3
  • 9
  • 18

2 Answers2

0

I haven't read the OWASP page, but I believe in this context a session starts when a visitor first arrives at a site, and continues until the session expires (whether through inactivity or other generally server-defined criteria) or the visitor closes their browser.

When a session is first started, there won't be a CSRF token present in the session, so the server will generate one, and store the token in its internal data. A session handle is returned to the browser, and when the visitor loads or reloads another page on the site, it returns the session handle to the server, the server finds it has a CSRF token already set, and uses the existing one, rather than creating a new one. Thus, you don't need to worry about the token being invalidated as long as you only create a new one only if there isn't one already present in the session.

FKEinternet
  • 1,050
  • 1
  • 11
  • 20
  • So does this mean that if I refresh the page containing the form, the token would be the same every time until the token in the session expires? – Kevin May 31 '17 at 06:02
  • 1
    Yes, as long as you pass the required session handle to the server when requesting a page. What language are you working with? In PHP, for example, you call `session_start()` near the beginning of the code for a page. The first time your site is visited, it won't have a CRSF token in it, so you'll add it to the `$_SESSION` array. Assuming your PHP is set up in the usual way, a cookie is sent to the browser containing the session ID, and the browser returns the cookie for any other page requests on your site. Then, when you call `session_start()`, it will have the CSRF token you need. – FKEinternet May 31 '17 at 06:12
0

Even if the CSRF secret is only generated once per session, it's possible for each form to get a different token, by salting and hashing the secret (similar to how passwords are salted and hashed) that's sent to the browser. On form submission, the server can verify the salted token against its secret (again, similar to how passwords are checked). That way, each form can get its own unique token, without the server needing to remember or invalidate anything other than the per-session secret.

Ove
  • 770
  • 4
  • 9