Home/ Questions/Q 9258775
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T12:29:37+00:00

I am currently generating a CSRF token in my forms to prevent cross-site request

  • 0

I am currently generating a CSRF token in my forms to prevent cross-site request forgery. It looks like:

<form method="post" action="action.php">
   <input type="hidden" id="security_token" name="security_token" value="gTt96phAcretR99rafEjepHebrEZadEdezadagaZ3gAS5es33WReJeZaMADU2AWr" />
   ...
</form>

The problem is that I have multiple forms on a single page. Must I create a security token for each form so security_token_1, security_token_2, or can I simply instead of generating the security token inside of forms, append it to a property to the entire body tag like:

<body data-csrf-token="gTt96phAcretR99rafEjepHebrEZadEdezadagaZ3gAS5es33WReJeZaMADU2AWr">
...
</body>

Is this insecure in any way? It simplifies things quite a bit, since I can simply append the security token to the body element instead of dealing with multiple security tokens.

Thanks for the insight and comments.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There really isn’t any reason you can’t have the same generated token for both forms, with each hidden field in each form having the same name attribute.

    After all, what you are really trying to validate is that a form request is inbound from a user with a valid session, and only one form is going to be actively posted at a time. Thus you are comparing the token posted against a token stored in session for the user. There need not be more than one token value in order to do this.

    For your case of needing to update the tokens based on AJAX posts, what you would need to do is, as you say, pass the newly created token back in the AJAX response, then update the hidden field values to the new token value.

    • 0