Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Bug (CSRF undefined) + Fix #509

jorisroling opened this Issue · 3 comments

4 participants


I came across an error "Cannot read property '_csrf' of undefined"
(connect/lib/middleware/csrf.js line 79)

This was due to me using the session.ignore array for certain paths.

To make connect tolerant for that specific situation I present the following fix.

In file connect/lib/middleware/csrf.js

module.exports = function csrf(options) {
  var options = options || {}
    , value = options.value || defaultValue;

  return function(req, res, next){

    if (req.session) { // <<<<<<<<<<<<<<< This condition should fix it
        // generate CSRF token
        var token = req.session._csrf || (req.session._csrf = utils.uid(24));

        // ignore GET (for now)
        if ('GET' == req.method) return next();

        // determine value
        var val = value(req);

        // check
        if (val != token) return utils.forbidden(res);

Man There is no need to do this

Just set csrf() in the follow order and will work!

    app.use(express.session({key: 'ts', cookie: {maxAge: 60000}}));
    app.use(express.csrf()); // It must stay after the express.session() and express.cookieParset().

This will work on Connect and Express, which I showed that example


I agree with @jorisroling, I bumped into it as well.
csrf middleware isn't working if you have urls that skip the session middleware (by using the session.ignore array).

I see the ignore array was removed a while ago by 73bf054

but when it was included, it was incompatible with csrf middleware.

@caio-ribeiro-pereira your example does not trigger the bug because you have no ignore urls set up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.