csrf token doesn't match in form re-submission through browser's refresh button

1k views Asked by At

I have a csrf token that I send within a form and also store it in the session so I can verify if they are equal when the form is submitted.

The csrf token is generated on every page load, which means the csrf token in the session is changing as well. however when I re-submit the form with the browser "refresh" button, it sends the old token which throw an error..

Is there a way to change the token in the cached browser data ?

1

There are 1 answers

2
Quentin On

No. It isn't even cached data, you're asking the browser to repeat the previous request.

You might be able to avoid the problem by using the PGR pattern so that the refresh just loads a display page and doesn't resubmit the form data for processing.

That said, it is generally considered fine to generate the token once per session rather than on every page load. This would also solve problems with people accessing the site in two tabs at once.