Pete Freitag Pete Freitag

csrfVerifyToken does not invalidate the token

Updated on October 28, 2022
By Pete Freitag

When you are using csrfGenerateToken and csrfVerifyToken with unique categories, the token that is generated remains valid until another token is generated with the forceNew argument set to true.

Here is a code snippet which illustrates this:

    <cfset tokenVar = createUUID()>
    <cfset csrf1 = csrfGenerateToken(tokenVar, true)>
    csrf1: #csrf1#
    verify csrf1: #csrfVerifyToken(csrf1, tokenVar)#
    veryif again: #csrfVerifyToken(csrf1, tokenVar)#
    <!--- generate a new token --->
    <cfset csrf2 = csrfGenerateToken(tokenVar, true)>
    csrf2: #csrf2#
    <!--- this should verify --->
    verify csrf2: #csrfVerifyToken(csrf2, tokenVar)#
    <!--- this should no longer verify --->
    verify csrf1: #csrfVerifyToken(csrf1, tokenVar)#

The results of this code is something like this:

csrf1: 14EEDB763BA6E9B68A16A25ED34501778EED8681
verify csrf1: YES
veryif again: YES 

csrf2: 2B1CC298E1E64EAEFB7E3D2FCA7608A9280950DF
verify csrf2: YES
verify csrf1: NO 

As you can see csrf1 remains a valid token until we call csrfGenerateToken again, at that point csrf2 is the valid token for the user's session.

You can learn more about cross site request forgeries (CSRF) in the ColdFusion Security Guide.

csrf security

csrfVerifyToken does not invalidate the token was first published on February 06, 2019.

If you like reading about csrf, or security then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

The weekly newsletter for the CFML Community