I made it so that with each page refresh, a new csrf token is generated in the session. But I noticed that if the user is sitting on one page - for example, editing his data, and opens another tab with the site - then he is given a new token, that is, on the old page - he will not be able to send more requests, since the token will already be different .
How is this solved? Or did I incorrectly implement the token verification system?
My options are:
Store in session not one token, but an array. With page addresses (for http and https tokens must be different) on which each token is used and timestamps. Remove tokens from the array as they are used or expired.
Keep the session key. For each page, generate a token based on this key, page address and user ip-address. You can optionally use the time stamp to determine the token's lifetime (for a long session). Then the final token will consist of a hash and a timestamp.
Source: https://ru.stackoverflow.com/questions/758566/
All Articles