Is one CSRF token per session is adequate with HTTPS?

To prevent CSRF you need to have something unguessable in the explicit part of the request (GET or POST). Putting it into the POST part is preferred, since it's harder to leak it, and you typically only protect requests that trigger an action, which should be POST.

A per-session random value is unguessable and should do the job. The standard anti CSRF token mechanism built into ASP.net works just like that.

HTTPS prevents leaking the token on the wire, and also prevents replay attacks. So a one-time-token doesn't seem necessary.

Tags:

Ajax

Csrf

Tls

Related

What can an attacker do with Bluetooth and how should it be mitigated? What is this authentication method/approach called? What does a HTML filter need to do, to protect against SVG attacks? Security comparsion of 3DES and AES Do client certificates provide protection against MITM? Why Do we Need CAPTCHA? In what case we should use it? Chrome SSL Warning: "You cannot proceed because the website operator has requested heightened security for this domain. " Making a Windows cert say it's purpose is "Ensures the identity of a remote computer" What does scorecardsresearch.com/beacon.js - added by Disqus.com - do? If someone asks to borrow your phone to make a call, what could they do? Will reporting phishing emails cause problems for the victim? OpenSSH default/preferred ciphers, hash, etc for SSH2

Recent Posts