Comments (9)
Hi! It's the very first sentence in the README already:
Requires [...] a session middleware [..] to be initialized first
from csurf.
It's funny that you just replaced the words "either" and "or" with "[...]" and "[...]". It is definitely not clear, that you must require both or at least the cookie-parser module before requiring csurf. As you can see in my code sample I had required the cookie-parser module before csurf and still ran into that nasty issue.
from csurf.
You do not need cookie-parser
at all. You need either a session middleware or cookie-parser, not both.
from csurf.
Basically, you need cookie-parser
if you set cookie: true
in your settings here, and do not need cookie-session. If you remove cookie: true
, then you do not need cookie-parser and do need cookie-session.
from csurf.
If you have better wording that will help, please make a PR. The wording that is there makes complete sense to me and many other people, so I don't know how to improve it without direct input from you :)
from csurf.
Aaaah, ok! Actually your wording above is what I've been missing. I'll send you a pull request tomorrow (it's already late here in Germany... maybe the only problem was that english is not my first language). Thanks a lot!
from csurf.
It's no problem, I look forward to the PR :) I can always tweak it. It's not always easy for us to write docs that are clear to new users, since we already have an understanding of how it works, so I can certainly add more text to the README, but it's always best when it's basically from the mouths of the users :)
from csurf.
@dougwilson don't forget -> #63 : ]
from csurf.
I haven't forgotten :)
from csurf.
Related Issues (20)
- Feature add 'Encrypted Token Pattern' HOT 3
- Add credentials warning to documentation HOT 7
- A way of getting csrfToken through POST request HOT 3
- Cannot validate CSRF token using the example code HOT 4
- Can docs clarify how cookie mode works? HOT 3
- please document the `signed` config option HOT 4
- Disable CSRF checking during tests HOT 1
- previous token still valid HOT 1
- Token Lifetime HOT 2
- Need docs and examples for working with single page application. HOT 3
- BREACH attack mitigation HOT 2
- No regeneration of secret when a valid token is submitted HOT 2
- A cookie secret is not really secret HOT 1
- Upgrade to [email protected] for SameSite=None support HOT 1
- Best practice for the csrf token and secret (signed? httponly?) HOT 1
- User's CSRF Token is invalid but doesn't look like so HOT 7
- New token secret with every request HOT 3
- Update docs to address situations with mixed protection approaches HOT 1
- How I can validate csrf token one time with only a request
- Failed on validation when using with 2 backends
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csurf.