using csurf with session in express

Question

I'm writing a single page application with MEAN stack, and using express-session with redis for session management.

I want to use scrf token in my client's cookies.

the problem is when I add csurf middleware, it set a session with name csrfSecret in redis, but how can I send it in cookie to client?

middlewares :

 app.use(csrf({}));

 app.use(function(req, res, next) {
     res.cookie('csrf-token', req.csrfToken());
     return next();
 });

and csrf-token is sending to client but it don't do anything.and I receive 403 error from module.

thank you for any answer or idea.

score 4 · Answer 1 · answered Aug 29 '18 at 13:51

4

If you want to create a csrf cookie in the client you have to use the following:

app.use(csrf({ cookie: true })

This will create a token in the client. If you do not pass any options to the csrf function it will use req.session. If you want to save the cookie client-side, remember that you will need to use cookie-parser module.

You can find more information in the github link to the project: https://github.com/expressjs/csurf

answered Aug 29 '18 at 13:51

Jose Miguel Colella

61
3

cookie options can be found in https://www.npmjs.com/package/csurf#cookie – Pere Aug 16 '20 at 00:12

using csurf with session in express

1 Answers1