cookie option issues

[jonathanong]

https://github.com/expressjs/csurf/blob/master/index.js#L44 cookieKey should be _csrfSecret or something not _csrf. i think that confuses people.

also, i think we should move this lib to cookies because implicitly depending on another middleware is silly. this way we could optionally pass in other options like .httpOnly and maxAge, etc.

[defunctzombie]

I was caught by this issue. the _csrf field is actually the _csrf secret and not the csrf token which the user must set into a cookie on their own.

[mrm-dev1]

after smashing my head on my desk here pretty much all day because i could not create a simple post due the invalid token error (which in fact was valid the whole time i did notice the cookie being out of sync).

i realized that the cookie was interfering with your nicely documented manual "Simple express example" what worked for me was to disable cookies entirely "var csrfProtection = csurf({ cookie: false });" and other than the csurf being miss-spelled csrf also i had to post the token to "X-CSRF-Token" headers.

i think you tried to mention this here https://github.com/expressjs/csurf/issues/52 and it did help me target the issue by disabling the cookie altogether but passing the tokens through the headers as well seemed like an extra step no?