CSRF token expiry

0 votes

Why is "CSRF-Tokens which are generated on each login and are valid for this user until they logout" considered a correct answer for question 3a. Doesn't increasing the lifetime of the CSRF token basically increase the chances of it getting stolen, rather than if it was only generated per form request. 

in ex03 by
edit history

1 Answer

0 votes

Hi,

as you correctly point out, this is not the most secure usage of CSRF tokens.

However, the task asks for "Which countermeasures can the bank use to protect Alice from sending this money to the attacker?".

The answers "CSRF [...] for any user" are wrong since the tokens are not bound to the user.
An attacker could generate a token which is valid for any victim.
Therefore, they do not help.

The answers "CSRF [...] for this user [...]" are correct since the tokens are bound to the user.

We do not consider the answer "CSRF-Tokens which are generated on each login and are valid for this user until they logout" as incorrect, as this answer implies just a session.
A single session is not that long.

Cheers
Sebastian

by (1.2k points)
edit history