Express CSRF token validation

Question

I\'m having issues with CSRF tokens. When I submit a form, a new XSRF-TOKEN is being generated but I think I\'m generating two different tokens, I\'m kinda conf

Answer 1

the token in the cookie will be completely different than the one in the express session. you want to check for one or the other not both.

i would disable the cookies entirely! as it worked for me.

var csrfProtection = csurf({ cookie: false });

the author mentions it here https://github.com/expressjs/csurf/issues/52

next you want to the "X-CSRF-Token" to the header on ajax post found here: Express.js csrf token with jQuery Ajax