search

expressjs / csurf

CSRF token middleware
MIT License
2.3k stars 217 forks source link

How to expire old csrf tokens? #53

Closed maplesap closed 9 years ago

maplesap commented 9 years ago

In the document, the example given:

// pass the csrfToken to the view
app.get('/form', function(req, res) {
  res.render('send', { csrfToken: req.csrfToken() })
})

Shows that it will provide the form with a new csrf token whenever /form is requested.

If I refresh the form to get a new csrf token, but POST with the old csrf token, it won't throw a 403 error and will succeed.

Would it be good practice to expire old tokens as soon as they are used? How can that be done with csurf?

dougwilson commented 9 years ago

How would that work if a user opened the same form in two tabs and then painstakingly filled them both and and one was rejected?

Expiration is not required for the goal of what CSRF protection achieves.

jonathanong commented 9 years ago

if you want to expire tokens, you would just change the secret

jonathanong commented 9 years ago

@maplesap you want something different than CSRF, something more specific and requires a database in the backend.