I might be missing something here, but there seems to be a flaw with the disable_cookie logic.
If I set disable_cookie to True using app.csrf.disable_cookie(lambda r: True) Seasurf stops returning the set-cookie header as expected. However, the token value it generated (in its _before_request function) only seems to get set into session during the _set_csrf_cookie function, which is now bypassed because I have disabled_cookies. Since the token is never set into session, a new token will be generated on every request so I will never be able to get CSRF to pass validation.
The only way around this is to call current_app.csrf.generate_new_token() in the view function, as this function does set the new token value into session, but that means a new token value will be generated every request (thankfully previous ones will validate before they change).
Would it not make more sense to set the token value into session in _before_request when it is generated? Perhaps I am missing something obvious here?
I might be missing something here, but there seems to be a flaw with the
disable_cookielogic.If I set disable_cookie to True using
app.csrf.disable_cookie(lambda r: True)Seasurf stops returning theset-cookieheader as expected. However, the token value it generated (in its_before_requestfunction) only seems to get set into session during the_set_csrf_cookiefunction, which is now bypassed because I have disabled_cookies. Since the token is never set into session, a new token will be generated on every request so I will never be able to get CSRF to pass validation.The only way around this is to call
current_app.csrf.generate_new_token()in the view function, as this function does set the new token value into session, but that means a new token value will be generated every request (thankfully previous ones will validate before they change).Would it not make more sense to set the token value into session in
_before_requestwhen it is generated? Perhaps I am missing something obvious here?