-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"csrf_token" cookie being generated on exempted routes #22
Comments
This behavior can be useful at times. Say, a first-time user wants to post a form from an exempted route to a protected route. Exempted route has to set the cookie, or the request will fail. |
They shouldn't exempt that route then |
I wouldn't be so strict about it. Say, you have a login form that is rendered on every page on the sidebar, or header, or whatever. Even on
It's regenerated for the next request. |
I am trying to exempt a few routes from csrf but noticed a "csrf_token" cookie still gets generated on those routes. Doesn't seem necessary to have that cookie on exempted routes. Also, is that cookie necessary after a form has been successfully transmitted?
An example with only 1 route that is supposed to be exempted from csrf tokens:
The text was updated successfully, but these errors were encountered: