luckydrq
commented
8 years ago It's safer to change the token per request. It will be userful to prevent some attacks such as timing attack.
Closed aobo-y closed 8 years ago
luckydrq
commented
8 years ago It's safer to change the token per request. It will be userful to prevent some attacks such as timing attack.
May I know the advantages of keep changing tokens?
As far as I know, only one csrf secret is created with each session, therefore, all tokens will be valid within same session (elder one wont be expired as the result of creating new one).
Can I simply create one token while creating the session and always return the same token for all incoming requests?