Closed rglover closed 11 months ago
Done. Used the csrf
flag in conjunction with a refresh on the client after no interaction for 30 minutes (automatically retrieves a new csrf). That way an open tab/stale session doesn't cause errors when the user comes back after an hour + of inactivity.
CSRF stuff is working, but in a load balanced app (as well as in local development w/ HMR), keeping sessions in sync is a pain. Best way to get around sessions going MIA is to put them into the database. Proposal is to just add a
csrf: true/false
flag to the existing database config (identical to users).This would ensure that sessions are always in sync between instances (irrespective of scale). Would want to add a conditional to say if the app starts with no databases, disable CSRF protection.