psibean
commented
2 months ago Looks like a good option to have. By session you mean a 'log in session', right?
Any session. An anonymous session will still have a csrf token, and you can still tie that csrf token to that session by the session id.
By session I just mean the id of the session, the session string. For people using JWT as a session identifier, then that would be considered their session id, and they would only need it when authenticated.
So, creating a session and generating a csrf token, this will work. Once the user logs in, the session SHOULD be rotated, but this logic is often left to the developer, and most aren't well-versed or educated and they don't actually do this. In this case, the CSRF token generated when the session was created will continue to work.
However, if the session is rotated (session id changed) when login occurs (privilege escalation) as it should, then those developers will also need to make sure a new CSRF token is generated on the session rotation. Similarly for rotating on logout.
Natively support session <> CSRF token association so CSRF tokens are only valid for the session they are generated for.