1
When I use a single form (registration, for example), I create a token and a Session to "control" that the request will only be executed from the source page. But when I have several buttons, which will be called via AJAX, what’s the best way around that? it is feasible to create hundreds of Sessions for each token? in this type of application is used <form> or links <a> even?
Example:
These buttons will be executed via AJAX.
0
The protection of CSSF is to prevent another website and other software, such as mobile apps, from making a request on behalf of the user, in short.
For example:
$.post("https://twitter.com/i/tweet/like", {
authenticity_token: "411e9d041eb283109fdde6f4357ec128d3e47bec",
id: "815385473703022593",
tweet_stat_count: "1998"
});
If there wasn’t the authenticity_token (which is Twitter’s CSRF Token) it would be possible to include this on a website and everyone who accesses it would enjoy the post 815385473703022593. The presence of authenticity_token is who stops it, because it is a random number.
CSRF Token was created to prevent this from working...
$.post("https://twitter.com/i/tweet/like", {id: "815385473703022593", tweet_stat_count: "1998" });
... for example, IGNORING THAT THERE IS A CORS.
However, all requests, like, retweet, tweet removal (...), from the same user, use the same one token and it makes no sense to own a different token per button, that’s insane.
You do not need to keep in session, although I recommend, you can keep in cookie plain text. Instagram does this, the cookie by name csfrtoken is who valid the header by name x-csrftoken, if you change the header and cookie to 1 it will be valid.
Anyway, just use one token for all buttons, this is enough. ;)
Browser other questions tagged php javascript
You are not signed in. Login or sign up in order to post.