jeffharrell
commented
10 years ago Copying from other post:
lusca provides a way to override the CSRF token implementation (which needs to be better documented) that should allow you to read the cookie off the incoming request and verify that it's correct. Here's two links to help:
https://github.com/paypal/lusca/blob/master/lib/csrf.js#L12 https://github.com/paypal/lusca/blob/master/test/csrf.js#L95
The default csrf token solution from Lusca uses session store which seems to not work if you are running multiple processes (they don't share session store) and of course does not work if you run multiple hosts. Is using Redis the only solution? Is there a csrf solution that will not depend on session store? Maybe a cookie related token. It seems excessive to run Redis just to maintain sessions for a csrf token when we write state less apps.