From 11ec99cc05925e955ecff9967080ba777f0e67d7 Mon Sep 17 00:00:00 2001 From: "Karl O. Pinc" Date: Tue, 27 Aug 2024 18:44:39 -0500 Subject: [PATCH] Generate new CRSF token once per session instead of per request It is tempting to generate the token once per request and have multiple windows in the browser share the token via javascript's session local storage. But there are a number of race conditions, including not being able to submit a new request in the interval between the server sending a response and the browser receiving the response. Per-request CSRF tokens are just too much bother for what you get. --- src/pgwui_core/core.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pgwui_core/core.py b/src/pgwui_core/core.py index 67b0b91..f28b853 100644 --- a/src/pgwui_core/core.py +++ b/src/pgwui_core/core.py @@ -699,7 +699,7 @@ class SessionDBHandler(DBHandler): csrf_token Token for detecting CSRF. ''' response = super().write(result, errors) - response['csrf_token'] = self.session.new_csrf_token() + response['csrf_token'] = self.session.get_csrf_token() return response -- 2.34.1