No regeneration of secret when a valid token is submitted #188

ptantiku · 2019-06-23T14:46:48Z

I found that this module only checks whether the submitted CSRF token is valid against the secret inside session/cookie secret at this line https://github.com/expressjs/csurf/blob/master/index.js#L111.

However, when a correct token is submitted, and it is verified, the code does nothing to the secret. So, I can reuse the same token over-and-over again because the secret does not change.

What it should do is when a valid token is verified, it should regenerate a new secret.

dougwilson · 2019-06-23T15:21:33Z

That's as it is currently designed. Issues #120 is tracking making expiring ones, and a pull request to implement is welcome!

dougwilson · 2019-06-23T15:22:15Z

Pull requests to implement the feature you want are welcome.

dougwilson closed this as completed Jun 23, 2019

dougwilson added the duplicate label Jun 23, 2019

SChetwynd mentioned this issue Feb 6, 2020

Add option to regenerate the secret #206

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

No regeneration of secret when a valid token is submitted #188

No regeneration of secret when a valid token is submitted #188

ptantiku commented Jun 23, 2019

dougwilson commented Jun 23, 2019

dougwilson commented Jun 23, 2019

No regeneration of secret when a valid token is submitted #188

No regeneration of secret when a valid token is submitted #188

Comments

ptantiku commented Jun 23, 2019

dougwilson commented Jun 23, 2019

dougwilson commented Jun 23, 2019