Should csrf tokens be included for each request?

Go To


Supose that the users have private content on their account . Like any social websites , when they browse their account , the users can see alot of things about them . Are all of those requests tokenised? Is it a good ideea to make a pattern and tokenise all requests and check them before they are processed ? Any sugestion ?
Do all apps based on private accounts system tokenise all requests?

P.S. : here is a possible attack : the user logs in a social website ("x"), stays loged in , goes to another website ("y") . Website y has a button that gets the first page content of the x site which includes users latest posts . Since the user is loged in , the data will show ...

How would you set up a csrf token mechanism for each request? Set up a middle process that redirects the request to the final processing page if its a valid request? or ... any other ideeas ? Am i wrong here ? Do i see things wrong?

Here i asked same question and got the right final answer : . The validated answer here is good to read about it too .

2012-04-04 05:50
by Cata Cata


CSRF tokens are only normally attached to things that change things on the users behalf (e.g. POST requests). Protecting attackers from viewing private data is much simpler, and indeed is baked right in to all popular browsers:

To protect attackers viewing private data (rather than modifying it) you would usually rely on the browser's same origin policy, and ensuring your requests do not support Cross-origin resource sharing

In the specific example of the attack you suggest, the attacker requests and the browser will throw an exception which looks like this on my browser:

XMLHttpRequest cannot load Origin is not allowed by Access-Control-Allow-Origin.
2012-04-04 06:43
by tobyodavies