id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
20276,Tie nonces to the current session,ryan,,"Owasp specifies that ""the synchronizer token pattern requires the generating of random challenge tokens that are associated with the user's current session."" Our nonces have a timeout, but that timeout can span cookie sessions. Instead, nonces should be somehow tied to the current auth cookie and invalidate whenever the cookie invalidates.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet",enhancement,new,normal,Future Release,Security,,normal,,,scribu johnbillion juliobosk@…