search

liberapay / liberapay.com

Source code of the recurrent donations platform Liberapay
https://liberapay.com/
1.64k stars 207 forks source link

The CSRF token isn't different for every request #1131

Open Changaco opened 6 years ago

Changaco commented 6 years ago

Reusing a CSRF token throughout a browser session is theoretically not as secure as generating a different one for every form.

Reports: https://hackerone.com/reports/361130 and https://hackerone.com/reports/361400.

Changaco commented 6 years ago

Another related report (not public yet): https://hackerone.com/reports/361414.