If I check the code, then there is no mechanism anywhere that allows for unchanged tokens for the duration of the session, as check_token() ALWAYS rotates the token after a succesful match.
I think it means to say "If zero, the token remains valid for the entire session". Which is different from "the same", which from a security point of view is a bad idea.
Well, you are right that at least the comment block is incorrect. It's not consistent with the conditional... I actually scratched my head here for a while.
Otherwise, I have read that this pattern allows for leaving a single token for the duration of the session. Maybe that's not as secure as constantly rotating the token but at least I don't have to worry about things like multiple tabs running on the same session.
It would be useful to have that capability. Otherwise, what does it mean for a token to NOT remain valid for an entire session? A token could only be used once in the current scheme.
The multiple tabs issue, and ajax calls, can be dealt with with the javascript function for which the Security class has the generator methods.
They will update the form field with the contents of the cookie when you submit the form, making sure it's always up to date. In that case rotation is no longer an issue.
Donate
