You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 14, 2022. It is now read-only.
However, when a correct token is submitted, and it is verified, the code does nothing to the secret. So, I can reuse the same token over-and-over again because the secret does not change.
What it should do is when a valid token is verified, it should regenerate a new secret.
The text was updated successfully, but these errors were encountered:
I found that this module only checks whether the submitted CSRF token is valid against the secret inside session/cookie secret at this line https://github.com/expressjs/csurf/blob/master/index.js#L111.
However, when a correct token is submitted, and it is verified, the code does nothing to the secret. So, I can reuse the same token over-and-over again because the secret does not change.
What it should do is when a valid token is verified, it should regenerate a new secret.
The text was updated successfully, but these errors were encountered: