Is It A Good Idea To Refresh Csrf Token When Submitting Form With Ajax?
I want to extend my CSRF token expiration. I know laravel-caffeine but the token still expired if page is idle for too long.(eg. 24+ hours)
So I come up with an idea that retrieve latest csrf token first with ajax GET method then submit form with this refreshed token.
But I'm not sure if there are some security concerns. For example, assuming that the latest csrf token can be gotten at http://example.com/get_csrf and the adversary can visit this URL too. I wonder whether the adversary can exploit it and make the csrf protection broken?
Answer
Yes your concerns are correct. The token is there to prevent other websites to create a request to your site with the session of the victim. Making the token requestable via ajax might create a problem if that can be done from the attacking website.
Related Questions
- → "failed to open stream" error when executing "migrate:make"
- → October CMS Plugin Routes.php not registering
- → OctoberCMS Migrate Table
- → OctoberCMS Rain User plugin not working or redirecting
- → October CMS Custom Mail Layout
- → October CMS - How to correctly route
- → October CMS create a multi select Form field
- → October CMS - Conditionally Load a Different Page
- → How to disable assets combining on development in OctoberCMS
- → October CMS - Radio Button Ajax Click Twice in a Row Causes Content to disappear
- → OctoberCms component: How to display all ID(items) instead of sorting only one ID?
- → In OctoberCMS how do you find the hint path?
- → How to register middlewares in OctoberCMS plugin?