When I use a single form, for example, I create a token and a session to "control" that the request will only be executed from the source. but when I have several buttons, which will be called via AJAX, what is the best way to get around this? Is it feasible to create hundreds of sessions for each token? in this type of application is <form> or links <a> same?
Example:
These buttons will be executed via AJAX.
CSSF protection is to prevent another website and other software, such as mobile apps, from being able to request on behalf of the user , at a glance .
For example:
$.post("https://twitter.com/i/tweet/like", {
authenticity_token: "411e9d041eb283109fdde6f4357ec128d3e47bec",
id: "815385473703022593",
tweet_stat_count: "1998"
});
If there was no authenticity_token (which is the CSRF Twitter Token) it would be possible to include this on a website and everyone who accessed would enjoy the 815385473703022593 . The presence of authenticity_token is what prevents this because it is a random number.
CSRF Token was created to prevent this from working ...
$.post("https://twitter.com/i/tweet/like", {id: "815385473703022593", tweet_stat_count: "1998" });
For example, IGNORING CORS EXIST .
However, all requests, tanned, retweet, tweeted (...) from the same user, use the same token and it does not make sense to have a different token per button, that's insane .
You do not need to keep in session, although I recommend that you keep it in cookie in plain text. Instagram does this, the name of csfrtoken is valid for the header name of x-csrftoken , if you change the header and cookie to 1 it will be valid.
Anyway, use only token for all buttons, that's enough. ;)