Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>In general, it suffices to have just <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation%3a_Synchronizer_Token_Pattern">one token per session</a>, a so called <em>per-session token</em>:</p> <blockquote> <p>In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires.</p> </blockquote> <p>If you want to further enhance the security, you can use one token per each form/URL (<em>per-form token</em>) to mitigate the impact when one token leaks (e. g. <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#No_Cross-Site_Scripting_.28XSS.29_Vulnerabilities">XSS</a>) as an attacker would only be able to successfully attack that specific form/URL.</p> <p>But using <em>per-request tokens</em>, i. e. tokens that change with each request, rather cuts the usability of the website as it restricts parallel browsing:</p> <blockquote> <p>To further enhance the security of this proposed design, consider randomizing the CSRF token […] for each request. Implementing this approach results in the generation of per-request tokens as opposed to per-session tokens. Note, however, that this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server.</p> </blockquote> <p>So I recommend you to use either per-session tokens or per-form tokens.</p>
    singulars
    1. This table or related slice is empty.
    1. POCSRF protection: do we have to generate a token for every form?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. This table or related slice is empty.
    1. USGumbo
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POCSRF protection: do we have to generate a token for every form?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COI think per form tokens would work if: **a)** You only create the token when the user first loads the form, any subsequent form loads should re-use the first token for that form. **b)** When storing the token in the session it should include an identifier for the specific page/form. E.g. SESSION['edit-user-csrf'] and SESSION['edit-order-csrf'] and that way you can open up a different page in a different tab and the two forms can still be submitted successfully as the session is storing both tokens (one for each form). The page knows which csrf token to check and use because it's on that page.
      singulars
      1. PO
      1. USzuallauz
    2. COMake sure you have Inactivity and Absolute session times that require re-authentication and new token generation. (Example: 20 minutes of inactivity or 4 hours absolute)
      singulars
      1. PO
      1. USLaJmOn
    3. CO@zuallauz The form’s URL can be used to identify the form. If that doesn’t suffice, you can add any other identifying information (e. g. hidden input values) to it or, even better, use a [form container to store the hidden input values into](http://stackoverflow.com/a/9108483/53114) that will also [prevent spoofing of hidden input values](http://stackoverflow.com/a/9209121/53114).
      singulars
      1. PO
      1. USGumbo
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload