Open chespinoza opened 9 years ago
As I understand it, the BREACH attack works when the same secret is sent across many requests. I don't think including the same token several times on one page should influence this, as the token is still randomized per request. Though a word from someone more familiar with the internals of BREACH would be more ensuring.
Multiple, identical tokens can be more easily identified in a compressed response due to the way compression works (i.e. go back N bytes for X length). I'm not sure there's an easy to way to deal with this across multiple forms though - the better solution may be to provide one token shared across all forms on the page, and/or reconsider your UX/UI (multiple forms on a page - what for?). Stuff like search forms (a GET request) don't need CSRF tokens either.
On Sun Nov 09 2014 at 3:41:13 PM Justinas Stankevičius < notifications@github.com> wrote:
As I understand it, the BREACH attack works when the same secret is sent across many requests. I don't think including the same token several times on one page should influence this, as the token is still randomized per request. Though a word from someone more familiar with the internals of BREACH would be more ensuring.
— Reply to this email directly or view it on GitHub https://github.com/justinas/nosurf/issues/19#issuecomment-62295080.
Ok, my wording was a bit off. Repeating the same token on a page does have influence, but capturing one request is not enough to recover it. Nosurf's approach should still be viable – no token is repeated twice.
I came across the same situation here: http://stackoverflow.com/questions/26818516/processing-multiple-forms-from-an-only-template
And I'm wondering if use an only token for several POST requests might work, and if is secure enough?