Closed maplesap closed 9 years ago
How would that work if a user opened the same form in two tabs and then painstakingly filled them both and and one was rejected?
Expiration is not required for the goal of what CSRF protection achieves.
if you want to expire tokens, you would just change the secret
@maplesap you want something different than CSRF, something more specific and requires a database in the backend.
In the document, the example given:
Shows that it will provide the form with a new csrf token whenever
/form
is requested.If I refresh the form to get a new csrf token, but POST with the old csrf token, it won't throw a
403
error and will succeed.Would it be good practice to expire old tokens as soon as they are used? How can that be done with csurf?