CSSF
protection is to prevent another website and other software, such as mobile apps, from being able to request on behalf of the user , at a glance .
For example:
$.post("https://twitter.com/i/tweet/like", {
authenticity_token: "411e9d041eb283109fdde6f4357ec128d3e47bec",
id: "815385473703022593",
tweet_stat_count: "1998"
});
If there was no authenticity_token
(which is the CSRF Twitter Token) it would be possible to include this on a website and everyone who accessed would enjoy the 815385473703022593 . The presence of authenticity_token
is what prevents this because it is a random number.
CSRF Token was created to prevent this from working ...
$.post("https://twitter.com/i/tweet/like", {id: "815385473703022593", tweet_stat_count: "1998" });
For example, IGNORING CORS EXIST .
However, all requests, tanned, retweet, tweeted (...) from the same user, use the same token
and it does not make sense to have a different token per button, that's insane .
You do not need to keep in session, although I recommend that you keep it in cookie
in plain text. Instagram does this, the name of csfrtoken
is valid for the header name of x-csrftoken
, if you change the header and cookie to 1
it will be valid.
Anyway, use only token
for all buttons, that's enough. ;)