Closed pruhstal closed 10 years ago
I'm pretty sure this is an issue from reading the code, but marking as investigate for now until I write a test to confirm the issue as I think it is.
@pruhstal just pushed a change that should fix your issue. You can test it with npm install expressjs/csurf
. The change will make it so you can actually call req.csrfToken()
after req.session.destroy()
.
Fixed for me. Thanks @dougwilson :+1:
Awesome!
Published as 1.4.0
When using
kue.app.listen
(and the kue module) I noticed the following issue and reported to @dougwilson in #express who told me to open the issue here.When csurf() is hit, it reads the stored secret in the session, and after that, you can't get it to use another secret, so destroying the session will invalidate whatever
csurfToken()
gives, even when it is after thereq.session.destroy()
call.This only seems to be happening when I use
kue
, so I thought it was an issue with kue and reported it here: https://github.com/LearnBoost/kue/issues/368