I recently read about csrf tokens. I use the YII framework to develop my project. I have included csrf checking in config / main.php, and yii puts the token in a hidden form field. And check if the token is valid. All perfectly. But I noticed that the value of the CSRF token does not change during the update, and all forms on the page use the same token.
It puzzled me. If the csrf token does not change, any hacker can use this token in his request and can submit a valid request. Then how can the csrf token provide security? Is this a problem with the YII infrastructure? Or am I missing something? Hope I missed something. If we need to generate markers manually, please let me know how to create and validate (preferably in a YII structure).
source share