Cross-Site Request Forgery

Cross-site request forgery (CSRF) causes a user’s browser to load pages (including forms) that typically require authentication in an attempt to perform actions on behalf of the user.

If the user has a valid authenticated session for the site the attacker is causing to load into the browser, those requests will succeed. If proper protections are not in place, this may let the attacker perform unintended actions on behalf of the user.

Submit tokens ensure that the contact who opened the page is the only contact who can submit the form. The SUBMIT_TOKEN_EXP configuration setting lets you define the amount of time the submit token is valid and is set, by default, to expire 30 minutes from the time the token was sent. After 30 minutes, the contact will receive a new token. The expiration process is invisible to the contact making for a seamless user experience.

For more information about CSRF vulnerabilities, search for the CSRF Prevention Cheat Sheet on the OWASP Foundation website.