search

expressjs / csurf

CSRF token middleware
MIT License
2.3k stars 216 forks source link

Added error for no active session #127

Closed franciscop closed 2 years ago

franciscop commented 7 years ago

Added error check for no active session. Generate early error and return in that situation. Following talk on #126:

Because if a token is incoming and a new secret is also being generated, there is certainly no way that the token will match the secret, so even trying to match is likely a waste and I figure providing a different error in that case will be better than the single error.

@dougwilson

Edit: this is WIP and haven't built+tested it locally. Some extra tests would be needed which I'll try to make later on when I can clone+build+test locally.

franciscop commented 7 years ago

@dougwilson please let me know if this is okay so I can continue with the testing

franciscop commented 7 years ago

@dougwilson please let me know if now it's correct or whether I should change anything else. Thank you so much for helping/guiding me so far.