csrfVerifyToken does not invalidate the token
When you are using csrfGenerateToken
and csrfVerifyToken
with unique categories, the token that is generated remains valid until another token is generated with the forceNew
argument set to true.
Here is a code snippet which illustrates this:
<cfoutput> <cfset tokenVar = createUUID()> <cfset csrf1 = csrfGenerateToken(tokenVar, true)> csrf1: #csrf1# verify csrf1: #csrfVerifyToken(csrf1, tokenVar)# veryif again: #csrfVerifyToken(csrf1, tokenVar)# <!--- generate a new token ---> <cfset csrf2 = csrfGenerateToken(tokenVar, true)> csrf2: #csrf2# <!--- this should verify ---> verify csrf2: #csrfVerifyToken(csrf2, tokenVar)# <!--- this should no longer verify ---> verify csrf1: #csrfVerifyToken(csrf1, tokenVar)# </cfoutput>
The results of this code is something like this:
csrf1: 14EEDB763BA6E9B68A16A25ED34501778EED8681 verify csrf1: YES veryif again: YES csrf2: 2B1CC298E1E64EAEFB7E3D2FCA7608A9280950DF verify csrf2: YES verify csrf1: NO
As you can see csrf1 remains a valid token until we call csrfGenerateToken
again, at that point csrf2 is the valid token for the user's session.
Tweet
Related Entries
- Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
- Announcing Web Application Firewall for ColdFusion - July 9, 2007
- The Dangers of Flash's crossdomain.xml - November 2, 2006
- MySpace Hacked with CSRF and XSS - October 13, 2005
- Cross Site Request Forgery (CSRF) Attacks - May 11, 2005
Post a Comment
Recent Entries
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained
- How to Resolve Java HTTPS Exceptions