Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
XSRF token is removed if an invalid token is passed #2174
I am not sure if this is a bug or a feature—I simply don't understand why this happens (because I thought that XSRF tokens will live as long as the session).
When an invalid XSRF token is sent, the existing token gets removed. So the client will have to retrieve a new token. If you are building an API, for example, you will have to build additional logic into the client software that talks to this API. (Shouldn't it suffice to retrieve the token once per valid session?)