Following situation:
- Application is only accessible via HTTPS/SPDY
- nginx is sending the SSL session ID to the upstream server
- Upon session start I'd like to use the first 128 characters of that string
- In PHP:
$csrf_token = substr($_SERVER["SSL_SESSION_ID"], 0, 128); - The CSRF token is stored on the server in the user’s session and a new token will be generated if a new session is generated
My question(s):
- Is this approach secure (enough)?
- This question is regarding the usage of the SSL session ID and not related to the usage of session based CSRF tokens!
- Would it be possible to use less characters (e.g. 32)?
- Should I add some sort of secret salt to it?
- Anything else that might be a problem with this?
