I just saw a Doctype episode in CSRF.
It says that the best prevention for CSRF is to create a token from some unique user data (for example, the hash identifier of the session), and then POST, which along with your request.
Would it be less secure to generate a value with difficult guessing (like a GUID) and store it as a session variable and put it in the page as a hidden field?
Each time the page loads, the value will change, but before that, POSTED data will be checked.
It seems to me that it is just as safe. I'm wrong?
source
share