Liberapay: csrf token did not changed after login/logout many times

ID H1:361131
Type hackerone
Reporter cryptographer
Modified 2018-06-04T12:01:55


hello team, your csrf token did not expired and after login and logout many times , i found that your csrf token is generated same as last one.


if an attacker found an xss on your domain and you fixed it but attacker still has csrf token of user, attacker can use it to perform any action.