View Issue Detail

ID	Project	Category	Submitted / Last Updated
00775	UserSpice	Misc	2020-01-06 13:04:07 / 2020-07-22 20:05:52
Reported	Albert Gukasian	Assigned To	Unassigned
Priority	none	Reported	5.0.07
Status	closed	Resolution Version and Commit
Summary	CSRF token. Does not need to be generated per request.
Description	<p>Generating the csrf token per for request is bad for user experience.</p> <p>As per the article below: https://security.stackexchange.com/questions/22903/why-refresh-csrf-token-per-form-request , the csrf should be generated per session and tracked that way.</p> <p>Generating the csrf token per for request is bad for user experience.</p> <p>As per the article below: https://security.stackexchange.com/questions/22903/why-refresh-csrf-token-per-form-request , the csrf should be generated per session and tracked that way.</p>

November 2021
The reason that UserSpice is creating CSRF's per page is due to it prevent's re-submission of form's.
xxxxxxxxxx

The reason that UserSpice is creating CSRF's per page is due to it prevent's re-submission of form's.
November 2021
But if you create multiple forms with csrf being renewed on each form submition/refresh of the page, when the user has the page opened on multiple tabs and tries to submit the forms he gets errors.
xxxxxxxxxx

But if you create multiple forms with csrf being renewed on each form submition/refresh of the page, when the user has the page opened on multiple tabs and tries to submit the forms he gets errors.
November 2021
We've created a system in which the CSRF token was generated based on session but this did not work on all installs.
xxxxxxxxxx

We've created a system in which the CSRF token was generated based on session but this did not work on all installs.