Comments (9)
dougwilson
commented on April 25, 2024
The token is validated against the visitor's session or csrf cookie.
from csurf.
francisfernando
commented on April 25, 2024
I didn't put any option on the csrf(); i guess it will be on the session. Because when i end the user's session it will be invalid.
from csurf.
dougwilson
commented on April 25, 2024
Sorry, I guess it submitted my "first draft". Here is what I meant to post:
The token is validated against the visitor's session or csrf cookie. This means that the token is valid for the entire life time (in your case the life of the session). For most use-cases this is good enough, since the main protection is to guard against another origin with the same user's web browser making a cross-origin request (it won't know the token). The token is different for each req.csrfToken() to guard against BEAST when served over SSL.
If there is a desire to create per-page tokens, that shouldn't be too difficult to add in, so PRs welcome!
from csurf.
francisfernando
commented on April 25, 2024
Thanks for the information and explanation. For the meantime i will limit the token to the page that was required. I will try to check if i can add a create per-page token. I'm thinking if we can add option to path on the token and path from on the request params.
from csurf.
francisfernando
commented on April 25, 2024
By the way i'm just new on here what do you mean about this "PRs welcome!" . Sorry very noob question . Thanks
from csurf.
dougwilson
commented on April 25, 2024
Hi @francisfernando sorry, PR = pull request https://help.github.com/articles/about-pull-requests/
from csurf.
francisfernando
commented on April 25, 2024
Thanks. Happy to help . I will review on how i can help. The issue per page you cannot determine where the call have been perform(which page). Do you have any idea how we can check this in express js or node?
from csurf.
dougwilson
commented on April 25, 2024
@federomero not off-hand, which is why I was hoping for some help :)
from csurf.
fluxsauce
commented on April 25, 2024
I gave this a try - fluxsauce@7d0ef69 - and it worked within a very limited set of circumstances. If you are performing multiple POSTs on a page, such a tracking event followed by a form submission, something will fail. If you open up two browser windows, both with login forms, one of those login forms will be broken.
Kind of on the "not worth it" side of the fence right now :-(
from csurf.
Related Issues (20)
- Feature add 'Encrypted Token Pattern' HOT 3
- Add credentials warning to documentation HOT 7
- A way of getting csrfToken through POST request HOT 3
- Cannot validate CSRF token using the example code HOT 4
- Can docs clarify how cookie mode works? HOT 3
- please document the `signed` config option HOT 4
- Disable CSRF checking during tests HOT 1
- previous token still valid HOT 1
- Token Lifetime HOT 2
- Need docs and examples for working with single page application. HOT 3
- BREACH attack mitigation HOT 2
- No regeneration of secret when a valid token is submitted HOT 2
- A cookie secret is not really secret HOT 1
- Upgrade to [email protected] for SameSite=None support HOT 1
- Best practice for the csrf token and secret (signed? httponly?) HOT 1
- User's CSRF Token is invalid but doesn't look like so HOT 7
- New token secret with every request HOT 3
- Update docs to address situations with mixed protection approaches HOT 1
- How I can validate csrf token one time with only a request
- Failed on validation when using with 2 backends
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csurf.