Balancing security with usability when using nonce for CSRF protection
How does one balance security and usability when using nonces on a website?
Imagine a website where the same nonce is embedded in the page, and stored in the browser session.
If I were to replace the nonce on every page load then:
The user will be unable to use the back button (or web history) because the embedded nonce will be incorrect.
If the user interrupts a page load, it's possible that the server will receive the request but the client will not receive a response. The old nonce will get invalidated but the browser cookie will retain the now-invalid nonce.
I have read that popular SPA frameworks just retain the same nonce across a session's lifetime. That would certainly fix the aforementioned usability problems, but what are the security implications? Is this approach sufficiently safe?
Is CSRF protection the only reason to use a nonce this way? Or does it mitigate any other concerns?
