Ad

Is It A Good Idea To Refresh Csrf Token When Submitting Form With Ajax?

- 1 answer

I want to extend my CSRF token expiration. I know laravel-caffeine but the token still expired if page is idle for too long.(eg. 24+ hours)

So I come up with an idea that retrieve latest csrf token first with ajax GET method then submit form with this refreshed token.

But I'm not sure if there are some security concerns. For example, assuming that the latest csrf token can be gotten at http://example.com/get_csrf and the adversary can visit this URL too. I wonder whether the adversary can exploit it and make the csrf protection broken?

Ad

Answer

Yes your concerns are correct. The token is there to prevent other websites to create a request to your site with the session of the victim. Making the token requestable via ajax might create a problem if that can be done from the attacking website.

Ad
source: stackoverflow.com
Ad