Seems like `context.csrf` is being set without me doing anything about csrf HOT 6 CLOSED

Yes, the token is set whether or not you send it. This library asserts that the token was provided by the user.

It's clear that a "real" example is necessary here. I'll see if I can throw something together in shortly.

from csrf.

@stephenmathieson Awesome, thank you

from csrf.

When you say this library asserts that the token "was provided by the user", this validation is happening when you compare the submitted csrf token to the ctx.session.secret, right? So is a new csrf token generated for every context, and validated against the session secret?

If this is the case, I don't see why we need to store the token client-side (in a hidden form field)

from csrf.

The token is salted with the secret. The token is unique per request/session. You need to pass the token to your client so it can send it back. The token validates that the user is who the user is claiming to be.

I think there's a misunderstanding of what this module helps you do. Are you familiar with what CSRF is? A good read/silly read is https://dev.to/rtfeldman/defense-against-the-dark-arts-csrf-attacks. I think it does a pretty good job at explaining what CSRF is/why you should protect against it.

from csrf.

I understand what CSRF protection does, I think I'm confused as to how long one particular csrf token is supposed to last. Should I be sending a new token with every request, or could I save a token when first loading the site, and keep sending that token back with each request (for as long as the user's session lasts)?

from csrf.

The token is valid for the duration of the user’s session in SPAs and for each request otherwise. Basically any time we can create a new token, we will.

from csrf.