Details
-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
-
None
Description
implement the org.owasp.csrfguard.token.storage.TokenHolder interface described here:
Note, we dont need page level tokens, just the session tokens. Still store in memory too. Periodically purge the database table.
Explore hashing the tokens and session keys to see if that can work to not let the DB be a vector for session hacking...