Best approach if is required use multiple html forms in a template

[chespinoza]

I came across the same situation here:
http://stackoverflow.com/questions/26818516/processing-multiple-forms-from-an-only-template

And I'm wondering if use an only token for several POST requests might work, and if is secure enough?

[justinas]

As I understand it, the BREACH attack works when the same secret is sent across many requests. I don't think including the same token several times on one page should influence this, as the token is still randomized per request. Though a word from someone more familiar with the internals of BREACH would be more ensuring.

[elithrar]

Multiple, identical tokens can be more easily identified in a compressed
response due to the way compression works (i.e. go back N bytes for X
length). I'm not sure there's an easy to way to deal with this across
multiple forms though - the better solution may be to provide one token
shared across all forms on the page, and/or reconsider your UX/UI (multiple
forms on a page - what for?). Stuff like search forms (a GET request) don't
need CSRF tokens either.

On Sun Nov 09 2014 at 3:41:13 PM Justinas Stankevičius <
[email protected]> wrote:

As I understand it, the BREACH attack works when the same secret is sent
across many requests. I don't think including the same token several times
on one page should influence this, as the token is still randomized per
request. Though a word from someone more familiar with the internals of
BREACH would be more ensuring.

—
Reply to this email directly or view it on GitHub
#19 (comment).

[justinas]

Ok, my wording was a bit off. Repeating the same token on a page does have influence, but capturing one request is not enough to recover it. Nosurf's approach should still be viable – no token is repeated twice.