Firstly, the CSRF token is put in the session (if there is one) as soon as it is generated. By doing so, we make sure the token is persisted and when the session is flushed (when response headers have been sent). Then, the CSRFHandler works not only with a LocalSessionStore, but with any distributed session store.
Secondly, the CSRF cookie is sent to the client in response to GET requests whenever the value is no longer synchronized with the value stored in the session (if there is one). This prevents users from being "trapped" if a new token has been generated but never makes to the client (e.g. if the response body never makes it to the client).
Firstly, the CSRF token is put in the session (if there is one) as soon as it is generated. By doing so, we make sure the token is persisted and when the session is flushed (when response headers have been sent). Then, the CSRFHandler works not only with a LocalSessionStore, but with any distributed session store.
Secondly, the CSRF cookie is sent to the client in response to GET requests whenever the value is no longer synchronized with the value stored in the session (if there is one). This prevents users from being "trapped" if a new token has been generated but never makes to the client (e.g. if the response body never makes it to the client).
See #2599