You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I might be missing something here, but there seems to be a flaw with the disable_cookie logic.
If I set disable_cookie to True using app.csrf.disable_cookie(lambda r: True) Seasurf stops returning the set-cookie header as expected. However, the token value it generated (in its _before_request function) only seems to get set into session during the _set_csrf_cookie function, which is now bypassed because I have disabled_cookies. Since the token is never set into session, a new token will be generated on every request so I will never be able to get CSRF to pass validation.
The only way around this is to call current_app.csrf.generate_new_token() in the view function, as this function does set the new token value into session, but that means a new token value will be generated every request (thankfully previous ones will validate before they change).
Would it not make more sense to set the token value into session in _before_request when it is generated? Perhaps I am missing something obvious here?
The text was updated successfully, but these errors were encountered:
I might be missing something here, but there seems to be a flaw with the
disable_cookielogic.If I set disable_cookie to True using
app.csrf.disable_cookie(lambda r: True)Seasurf stops returning theset-cookieheader as expected. However, the token value it generated (in its_before_requestfunction) only seems to get set into session during the_set_csrf_cookiefunction, which is now bypassed because I have disabled_cookies. Since the token is never set into session, a new token will be generated on every request so I will never be able to get CSRF to pass validation.The only way around this is to call
current_app.csrf.generate_new_token()in the view function, as this function does set the new token value into session, but that means a new token value will be generated every request (thankfully previous ones will validate before they change).Would it not make more sense to set the token value into session in
_before_requestwhen it is generated? Perhaps I am missing something obvious here?The text was updated successfully, but these errors were encountered: