dougwilson
commented
10 years ago I'm pretty sure this is an issue from reading the code, but marking as investigate for now until I write a test to confirm the issue as I think it is.
Closed pruhstal closed 10 years ago
dougwilson
commented
10 years ago I'm pretty sure this is an issue from reading the code, but marking as investigate for now until I write a test to confirm the issue as I think it is.
dougwilson
commented
10 years ago @pruhstal just pushed a change that should fix your issue. You can test it with npm install expressjs/csurf. The change will make it so you can actually call req.csrfToken() after req.session.destroy().
pruhstal
commented
10 years ago Fixed for me. Thanks @dougwilson :+1:
dougwilson
commented
10 years ago Awesome!
dougwilson
commented
10 years ago Published as 1.4.0
When using
kue.app.listen(and the kue module) I noticed the following issue and reported to @dougwilson in #express who told me to open the issue here.When csurf() is hit, it reads the stored secret in the session, and after that, you can't get it to use another secret, so destroying the session will invalidate whatever
csurfToken()gives, even when it is after thereq.session.destroy()call.This only seems to be happening when I use
kue, so I thought it was an issue with kue and reported it here: https://github.com/LearnBoost/kue/issues/368