Open jonathanong opened 10 years ago
I was caught by this issue. the _csrf field is actually the _csrf secret and not the csrf token which the user must set into a cookie on their own.
after smashing my head on my desk here pretty much all day because i could not create a simple post due the invalid token error (which in fact was valid the whole time i did notice the cookie being out of sync).
i realized that the cookie was interfering with your nicely documented manual "Simple express example" what worked for me was to disable cookies entirely "var csrfProtection = csurf({ cookie: false });" and other than the csurf being miss-spelled csrf also i had to post the token to "X-CSRF-Token" headers.
i think you tried to mention this here https://github.com/expressjs/csurf/issues/52 and it did help me target the issue by disabling the cookie altogether but passing the tokens through the headers as well seemed like an extra step no?
https://github.com/expressjs/csurf/blob/master/index.js#L44
cookieKey
should be_csrfSecret
or something not_csrf
. i think that confuses people.also, i think we should move this lib to
cookies
because implicitly depending on another middleware is silly. this way we could optionally pass in other options like.httpOnly
andmaxAge
, etc.