search

expressjs / csurf

CSRF token middleware
MIT License
2.3k stars 217 forks source link

previous token still valid #142

Closed shamonshan closed 6 years ago

shamonshan commented 6 years ago

For every request it will generate new token but the old token is still valid if I make the request with old token there is no CSRF error is showing.

app.use(function(req, res, next) {
  console.log("Token",req.csrfToken());
  res.setHeader('X-CSRFTOKEN',req.csrfToken())
  next();
});
dougwilson commented 6 years ago

That's as it is currently designed. Issues #120 is tracking making expiring ones, and a pull request to implement is welcome!