Is it valid to defend an CSRF token against replay (e.g. with a timestamp)?
I have an MVC app that is using the AntiForgeryToken capability of ASP.NET MVC. AFAICT this uses an encrypted synchronizer token variation where it validates the payload of the tokens.
A customer has questioned the fact that these tokens … Continue reading Is it valid to defend an CSRF token against replay (e.g. with a timestamp)?