Add CSRF option in UseSessions to override the configuration

[changke]

Hi, it seems to me in v2 there is no way to explicitly specify CSRF-checking (like in v1 with @CsrfTokenRequired on certain route). It is always tuned on upon @UseSessions with cookie and settings.session.csrf.enabled set to true. Right?

This would lead to something inconvenient: Normally on a log-in page I would not use CSRF because a user there mostly has no session yet. But after login, if user visits that page and try to login again, Foal will throw an error "CSRF token missing or incorrect.". This scenario could happen e.g I have multiple account and want to sign in without signing out another one first.

The login controller code I use is identical as in the docs.

Or am I using Foal incorrectly? Thanks!

[LoicPoullain]

Hi, it seems to me in v2 there is no way to explicitly specify CSRF-checking (like in v1 with @CsrfTokenRequired on certain route). It is always tuned on upon @UseSessions with cookie and settings.session.csrf.enabled set to true. Right?

Correct.

This would lead to something inconvenient: Normally on a log-in page I would not use CSRF because a user there mostly has no session yet. But after login, if user visits that page and try to login again, Foal will throw an error "CSRF token missing or incorrect.". This scenario could happen e.g I have multiple account and want to sign in without signing out another one first.

Could you simply include the CSRF token when it exists? I would recommend this approach to prevent an attacker from forcing you to log into another account with your current session.

However, this is true that a csrf option is missing in UseSessions to override the configuration behavior (like the openapi option). I thought I added it but apparently not. Let's add it in the next release.

[LoicPoullain]

Resolved in v2.1