security - Is it acceptable to use the same CSRF Token for a whole session? -

is acceptable use same csrf token whole session? don't see reason change csrf token sessions extend no more couple hours.

is there reason use single use tokens? in experience these cause bad user experience.

i suggest reading owasp's csrf cheat sheet

it valid option use single token entire session, beware site may contain vulnerabilities can circumvent csrf defenses. such xss or lack of encryption when sending/receiving sensitive pages.

i use session tokens, added bit more. divided possible user actions tiers, highest tier contains sensitive actions , lowest tier common non-sensitive actions. highest tiers require users authenticate once more, while middle tiers need session crsf token.

hope helps :)