forgery protection for multiple browser tabs

[Luma]

Hi,

http://apidock.com/rails/ActionController/RequestForgeryProtection only maintains one CSRF token at a time. When a user visits some site, he gets a new token in the session. He then might open a linked site of the same rails app in a new browser tab (maybe some info he'd like to read), and again he will get a new token. Then he changes to the first tab again and submits a form on that site (e.g. registration). Then he will get an InvalidAuthenticityToken error, but it was a legal and common user behavior rather that request forgery.

- Is there a way to store e.g. a map with POST URLs as keys and CSFR tokens as values?
- Or storing a list of the last n CSFR tokens? The authentication procedure should then first check the newest token etc.

Luma

[Luma]

any comments?

[Frederick Cheung]

On Thursday, April 18, 2013 10:42:07 PM UTC+1, Martin Luy wrote:
> any comments?

Why would opening a new tab get you a different csrf token?

Fred

[Jeffrey Jones]

Does the new tab re-request the page?

[Martin Luy]

You're right, sorry..

[Martin Luy]

The invalid authenticity tokens are happening ~1x per day in average and with all kinds of forms in my app. Could it be that the token was outdated because the page was in the browser cache of the user? If so, how do you deal with that? <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"> might be overkill... How can we include this only for pages that include forms with authenticity tokens?

Martin

[Martin Luy]

In some situations a new session was created because the user was logging in/out. Could I copy the old CSRF-token into the new session, or would there be any security leak?

In other cases the user was not logging in/out and didn't get a new session. Maybe the page was cached in the browser, so I added in my layout <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"> now.