Add option to regenerate the secret

[SChetwynd]

Previous functionality allowed the same token to be used for the life of the session. This option will regenerate the secret everytime req.crsfToken() is called, invalidating the previous secret.

Related issues: https://github.com/expressjs/csurf/issues/188 https://github.com/expressjs/csurf/issues/120

[ptrin]

@dougwilson @jonathanong What do you think of the PR? Many users of this library would like the ability for the token to be valid for only a single request, and the changes are not very extensive and accompanied by tests.

[dougwilson]

Ah, thank you for bridging this to my attention. If this is supposed to solve the token for a single request use case, I do not think it is the correct approach. Regenerating the secret will invalidate all outstanding tokens. This will lead to very poor user experience with no improved security. For example, it is very common for users to have multiple tabs open on a web site. This would break that functionality.

A per-page or per-request token can be implemented without regenerating the underlying secret value.

[minnaliang]

@dougwilson When you say "A per-page or per-request token can be implemented without regenerating the underlying secret value.", did you mean the csrf library already has support for this and if so how? Basically I don't want the csrf token to be re-usable for another request while the session is still active.