Liberapay: csrf token did not changed after login/logout many times

2018-06-02T16:53:08
ID H1:361131
Type hackerone
Reporter cryptographer
Modified 2018-06-04T12:01:55

Description

hello team, your csrf token did not expired and after login and logout many times , i found that your csrf token is generated same as last one.

Impact

if an attacker found an xss on your domain and you fixed it but attacker still has csrf token of user, attacker can use it to perform any action.