Switch to stateless CSRF protection algorithm #15
Labels
Comments
samdark
added
status:ready for adoption
samdark
changed the title
|
This implementation should be done as an alternative, not as the main one. In fact, to generate a token, instead of a random sequence stored in a session, a session identifier is required. For single page applications, this can be a problem. Any call to the page with the session, the session and the token are extended. In the new version, we will have to constantly update the client token, which can complicate the implementation of the application. In several separate browser tabs, updating the token becomes completely impossible. |
This was referenced Dec 8, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We currently use syncronizer pattern from https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern. It is stateful. Switching to any stateless pattern would make starting a session obsolete.
See #12
The text was updated successfully, but these errors were encountered: