security token problem with ajax requests

views:

189

answers:

security token problem with ajax requests

when building apps I use a token to prevent attacks on the forms

each time a form is rendered it gets a new ONE TIME security token that i include in the form as a hidden field. this token is also stored in the session.

when the form is sent, the token is verified against the token in the session to make sure the form is legit. This works great for standard pages.

PROBLEM when using Ajax to send forms, there may be multiple on a page, once you send one of these forms, the token is then invalid for the others as its a one time token.

does anyone have advise for this? or is it secure enough to generate one token per session and just use that instead of invalidating the token each time a form is sent?

+2 A:

If you want to follow your current approach, you can generate a security token each time you do a an AJAX request, return it in the AJAX response, and inject it into the hidden when you get it. However, I'd go rethinking your current approach for security tokens. Here you have some tips about that in the OSWAP wiki.

Matias 2010-05-19 14:54:46

http://csrf.htmlpurifier.org/do you think this is a valid solution?

David Morrow 2010-05-19 15:49:29

I was not aware of this library, but seems to be a good option, thanks for that. In my opinion, I would not go doing that work, It's better to delegate it to a library, and later, if needed, build it.

Matias 2010-05-19 17:32:36

ansaurus

tags:

views:

answers:

security token problem with ajax requests

related questions