Can someone confirm this: do I need to provide both a CSRF token and a Captcha in a submission form, or do the two more or less serve the same function (one can be used instead of the other)?
+2
A:
Yup I was wrong. Both captcha and token are session-bound.
However I still see not much sense in this question.
You cannot use CAPTCHA for the every form on the site. It will drive users crazy and away.
Thus, why not to have a token for the every form by default and CAPTCHA for selected ones?
Col. Shrapnel
2010-09-27 18:34:50
Requiring interactive user input prevents XSRF; Because captchas require interactive user input, they can be used to prevent XSRF, just like tokens.
erickson
2010-09-27 18:52:15
+10
A:
A captcha can be used instead of a CSRF token. This is covered in the OWASP CSRF Prevention Guide. A Captcha is considered to be a stronger form of CSRF prevention than a token or referer check because it cannot be bypassed with XSS.
Rook
2010-09-27 18:35:18
+1. You only **need** a CSRF token if you are not displaying a Captch image on a form (for example, if you let logged-in users submit without requiring captcha)...
ircmaxell
2010-09-27 18:48:29
@jblue happy to help. I think this is a good question because it gets at the heart of what CSRF really is.
Rook
2010-09-28 17:36:42