Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

csrf 403 code in IE 7-9 #595

likejavascript opened this Issue Jun 12, 2012 · 7 comments


None yet
4 participants

I use the connect's csrf module. All work fine but not in IE. When I make submit an html form I get 403 error every time. Does anybody have the same problem on using Internet Explorer browser?


defunctzombie commented Jun 12, 2012

can you provide more information? The relevant middleware stack setup, which route/method is giving the error? This report is too vague for tracking down a single error :)

Yes shure you can try the following example in IE: https://github.com/senchalabs/connect/blob/master/examples/csrf.js
It does not work too.

It seems I've found the reason. I think it happened due IE caching. To see that please follow the steps:

  1. Run the example in your local node server: https://github.com/senchalabs/connect/blob/master/examples/csrf.js
  2. Route to the '/' page
  3. Restart your node server and route to the '/' again (not refresh).
  4. You should see an error 403 Forbidden.

The problem resolved by adding the following code:

.use(function(req, res){
    res.setHeader('Content-Type', 'text/html');

    // Prevent caching
    res.setHeader('Pragma', 'no-cache');
    res.setHeader('Expires', '-1');

    var body = form
      .replace('{token}', req.session._csrf)
      .replace('{user}', req.session.user && req.session.user.name || '');

But I not sure it's correct.


defunctzombie commented Jun 18, 2012

I ran the original example and tried it in IE8 and had no problems. The routes should not have any caching by default IIRC.

Did you follow the steps above?


defunctzombie commented Jun 18, 2012

Yes, and it loaded just fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment