Per-Request VS Per-Session option?

[ItsBradyDavis]

I had noticed that the functionality here on crumb seems to be operating on a per-session basis, meaning the crumb value will remain unchanged between calls to different crumbed routes during your current session.

Is there an option to enable a per-request behavior when registering the plugin / routes? If not, could we add one?

I have been able to simulate a per-request behavior by manually deleting the request crumb value within the request handler after it has passed the crumb validation within my own application. I'm wondering if there's any interest in adding this functionality, or if there's already some setting to implement this behavior.

[hueniverse]

What's the actual security concern you are trying to solve with this?

[ItsBradyDavis]

We have certain routes that make calls to an API we have hosted. Ideally we'd like to restrict hitting that route to only be accessible from the form view to prevent a user from trying to hit the endpoint with bad data. With the current functionality, the user would only need to have the client hit the endpoint at the beginning of the session, look at the crumb value in the header (or body), and then hit that route with that crumb value. With a per-request functionality, we'd have the crumb value regenerate at the route (or routes) after they had passed validation.

[hueniverse]

This has not come up as a requirement before, so I'm inclined not to add support for that if you can make it work by simply deleting the state after form validation. If you want to try a PR that is simple and well-contained, I am willing to review it but I can't promise a quick turnaround or even to merge until I see how simple it is.

[ItsBradyDavis]

After updating to the latest version, it appears that this is now a non-issue. Our calls to our crumb generation endpoint are creating new crumb tokens to validate against, rather than returning the same one per session. Closing this issue.