|
|
|
|
|
|
by mgliwka
1891 days ago
|
|
|
To implement the synchronizer token pattern you usually store the randomly generated CSRF token in the session to validate it on the subsequent request, even if you generate a new one for each form. You could also handle this stateless without the session using encryption or HMAC, but then you need to manage secret keys and not screw up. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re... |
|
|