For securing forms, when do I issue the token?

So, I have a form, to make it a little more secure and potentially help prevent CSRF attacks I want to add a random token value in a hidden field that value is also stored server side in my session data.

When should I issue a new token? Per form? Per page load where there is any form? Per session? I can render it invalid as soon as a form is successfully submitted but I'm wondering when to generate one.

I ask as if I issue it per form or per page do I not risk the chance of a duplicate token value o开发者_Python百科verwriting the existing (valid) token if a user opens a separate window but submitting the first form (with the now overwritten value)?

The simplest way to prevent concurrency issues is to generate it only once per login. The chance of an attacker "guessing" your CSRF is about the same chance (or lower) as them stealing your PHPSESSID. You could also regenerate it whenever the user's access level changes, such as after they change their password or something.

If you want to be really thorough, you can generate and store an array of tokens, one for each form on the website. But if they can steal a CSRF token, they might as well have just stolen a session ID and done some real damage.

• If you use one Token per session, then you need a technique to check duplicate submitted forms (when user refreshes a page or click back button).
• If use it per form then if user opens multiple pages then only the last form will work.
• I would prefer using array of generated tokens per session, and when a token is submitted it should be removed. I read that this approach might be a concern if you have high volume traffic website.

I am not sure if you read this article before, but I think it is great resource about CSRF security: http://shiflett.org/articles/cross-site-request-forgeries