Closed jonathanong closed 7 years ago
might need to add a get()
and set()
function
I'd like to do this with a signed cookie.
I'm writing a app-like site that does all the routing client side and instead of sessions uses localStorage to save a JWT and includes that in api calls.
This actually means that I don't even need csrf protection in api calls involving a user. However I do still need csrf protection in oauth based signin flows (ie: Facebook/Google social logins) and in password signup/signin api calls to protect from password brute forcing attempted using other people's browsers.
So I don't use or desire sessions, but I do need a csrf token tied to a cookie.
@jonathanong is this still relevant/needed? I think it's a little weird that we claim such a generic field on .session
, but it's never caused me problems.
IMO we should close this since the last comment is a year old and folks are still using this package daily.
yeah we can close this. nowadays, i think other types of session should just implement CSRF themselves
not sure where or how.