csrf cookie

[crisward]

In single page apps, the page hasn't always been refreshed when a session expires.
On the next xhr request the stored csrf token will be invalid, so will trigger a csrf error. As the user may have unsaved work, refreshing the browser is not ideal.

Th node csrf middleware sets a csrf cookie, which contains the csrf token. This is protected in the same way as the session cookie is, but can be read by js to send back as a header.

This article discusses it - https://www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services

I'll add this feature to my fork and create a pull request. Let me know if this needs adding somewhere else as there was talk of merging this in with kemal session.

Thanks.

[sdogruyol]

Hey @crisward thank you for the idea. However i'd like to move this into kemal-session as discusess in #1

[crisward]

I needed this to fix an issue in my app, so I've raised a pull request. Should be easy enough to include in the port.