Contents
Any HTTP request can retrieve it and it can be appended to all forms/AJAX requests via JavaScript. Once the CSRF token has been retrieved, as it is stored in a cookie the value can be reused without additional requests.
How long should a CSRF token be valid?
Release < 7.03/7.31 or the security session management is inactive: An own CSRF cookie gets generated (sap-XSRF__) and this CSRF token remains valid for 24 hours (86400 seconds).
What does a CSRF token do?
A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.
Does CSRF token change?
CSRF tokens are often bound to the user’s session: while the user is logged in, they keep the same CSRF token. However, there are some security advantages to changing the CSRF token more often, or even on every request.
Is it safe to use a CSRF token?
If an HTTP request has a secure CSRF token either in the parameter or in the HTTP header and this token matches the one stored in user session, it is considered safe. For non-browser API access, we recommend using token-based authentication of the request and disabling cookie support in your HTTP client.
Can a CSRF attack be used against cookies?
Typically, CSRF attacks are possible against web sites that use cookies for authentication, because browsers send all relevant cookies to the destination web site. However, CSRF attacks are not limited to exploiting cookies. For example, Basic and Digest authentication are also vulnerable.
How to pass a CSRF token in TeamCity?
To pass the token, use the X-TC-CSRF-Token HTTP request header or the tc-csrf-token HTTP parameter. When considering HTTP request safety from the TeamCity perspective, the following checks are sequentially made: If an HTTP request is a non-modifying one (such as GET ), it is considered safe.
How to prevent cross-site request forgery ( CSRF ) attacks?
Anti-Forgery Tokens. The client requests an HTML page that contains a form. The server includes two tokens in the response. One token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values.