Presently, CSRF tokens are stored in the browser cookies. This is standard practice, but storing such tokens in session can sometimes be a security requirement. As such, we should find a way to make it possible via a dedicated setting.
Implementation
[x] Add a csrf.use_sessions boolean setting
[x] Ensure that the Marten::Handlers::RequestForgeryProtection stores the token in the session if the related setting is set
Description
Presently, CSRF tokens are stored in the browser cookies. This is standard practice, but storing such tokens in session can sometimes be a security requirement. As such, we should find a way to make it possible via a dedicated setting.
Implementation
csrf.use_sessionsboolean settingMarten::Handlers::RequestForgeryProtectionstores the token in the session if the related setting is set