On 3/9/11 21:06 , Ben Bangert wrote:
So I guess I would consider a CSRF token to be usable and valid from the users login, to the users logout on your website. If there was a way to steal cookies from your users, the CSRF token wouldn't matter since the attacker could use the stolen cookie to do a GET/POST with a new CSRF token as the other user. Thus any additional rotation of the CSRF token seems a bit overkill and more prone to cause situations where a user might hit the back button and try to re-submit a form causing them to see a CSRF error and think they're being hacked or something when they aren't.
FWIW this is the approach I take in all my apps: on user login I generate a new CSRF token for a user, and that stays valid until the next login. The only tricky bit is that you have to be careful not to reset the token if a user logins in while already logged in, for example because he had multiple browser tabs opened on a login form.
Wichert. -- You received this message because you are subscribed to the Google Groups "pylons-devel" group. To post to this group, send email to pylons-devel@googlegroups.com. To unsubscribe from this group, send email to pylons-devel+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en.
