The CSRF token is generated on login and then stored in the user's session. We a... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

xrstf on May 4, 2015 | parent | context | favorite | on: CSRF protection bypass due to Google analytics and...

The CSRF token is generated on login and then stored in the user's session. We accept the risk of not having a per-form token for pure developer/user convenience reasons.

amenghra on May 4, 2015 [–]

This is exactly what the parent suggests doing.

Keep in mind that if you don't change the client's view of the token on every page load (using some kind of salt), you are potentially vulnerable to CRIME/BEAST.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact