Best approach if is required use multiple html forms in a template
chespinoza opened this issue · 3 comments
I came across the same situation here:
http://stackoverflow.com/questions/26818516/processing-multiple-forms-from-an-only-template
And I'm wondering if use an only token for several POST requests might work, and if is secure enough?
As I understand it, the BREACH attack works when the same secret is sent across many requests. I don't think including the same token several times on one page should influence this, as the token is still randomized per request. Though a word from someone more familiar with the internals of BREACH would be more ensuring.
Multiple, identical tokens can be more easily identified in a compressed
response due to the way compression works (i.e. go back N bytes for X
length). I'm not sure there's an easy to way to deal with this across
multiple forms though - the better solution may be to provide one token
shared across all forms on the page, and/or reconsider your UX/UI (multiple
forms on a page - what for?). Stuff like search forms (a GET request) don't
need CSRF tokens either.
On Sun Nov 09 2014 at 3:41:13 PM Justinas Stankevičius <
notifications@github.com> wrote:
As I understand it, the BREACH attack works when the same secret is sent
across many requests. I don't think including the same token several times
on one page should influence this, as the token is still randomized per
request. Though a word from someone more familiar with the internals of
BREACH would be more ensuring.—
Reply to this email directly or view it on GitHub
#19 (comment).
Ok, my wording was a bit off. Repeating the same token on a page does have influence, but capturing one request is not enough to recover it. Nosurf's approach should still be viable – no token is repeated twice.