CSRF protection and usability

Question

Between most strong CSRF protection, there is the form token protection. The question I have about this method, is about usability: if a user opens multiple page containing a form, which use the token, are generated multiple token, but only the last opened page can successful send the form, all the other will give error.

I thought 2 solutions:

1. Keep a unique token for all the duration of session.
2. Store all generated tokens in session.

But:

1. This is the more realistic solution, but is less safe.
2. This generate a large resource overhead, because a user could open many pages, and I must store all the generated token.

Therefore, how have you solved this question?

PS The website I'm developing, is practically a ecommerce in PHP and although the money transfer will be managed through an external provider (like paypal), I think right give a good safety to my service.

Answer 1

You don't need to store tokens in the database.

Instead, you should include the same token in a cookie; a cross-site attacker cannot read or set cookies.
As long as the you get the same token in the cookie as the POSTed form, you're safe.

For additional security, you can hash them with a keyed HMAC hash, and verify that hash to make sure that the token came from your server.
You can also make the tokens per-user.