1

Recently I've made a CSRF protection in needed html forms on website.

This works as follows:

  • Server generates hash and puts it in the session variable
  • Then hash is inserted into html input inside the html form.
  • When form is submitted, server takes session variable and compares it to post from client's form.

So that works fine, but when I need to use JavaScript to submit form and receive response it doesn't works, because token is regenerated when client makes request with that form.

Is it safe to return new token with server response?

Or should I do it differently, like generating hash only one time per session?

Max Maximilian
  • 591
  • 2
  • 20
  • 1
    I would suggest you to implement ,generating hash only one time per session. – shrikant Jul 26 '17 at 08:42
  • @shrikant Yeah, exactly. I saw the similar question and response was that it's better to use per-session token because of being more comfortable. – Max Maximilian Jul 26 '17 at 08:44

0 Answers0