Closed Elliot128 closed 4 years ago
Hm, strange. It should only be providing back a new value if the client is not sending the _csrf
cookie to the server with the request. Can you check if your request contains a Cookie
HTTP header and that is has a _csrf=
in there?
Thanks for the quick response. I checked the cookies and you were correct, the browser is not sending any cookie headers for some reason.
Will comment back when I get resolve my issue in case others run into this as well.
So my issue was using the strict
sameSite
policy for the cookie.
This route was being hit by an ouath redirect. As a result, the browser recognized the request as coming from a different domain. Relaxing the sameSite
policy to lax
resolved the issue. Thanks again for the quick response.
I'm running this in a lambda access through api gateway. Every request is producing a new token secret on the _csrf cookie. As a result, every request is giving me an invalid csrf token error.