User's CSRF Token is invalid but doesn't look like so about csurf HOT 7 CLOSED

Hi @DanielVip3 sorry you are having issues. Based on your description, especially with all other devices working, it does really sound like perhaps an issue with that device, either it has some setting on it preventing it from working or that that web browser is not compatible and perhaps we need to change something in this module to support it. Unfortunately without even access to that device / web browser combination myself, I'm not sure how such I can actually do to diagnose what the underlying issue is.

from csurf.

@dougwilson so uhm, would there a way to examine myself the thing, asking the user what to do?
What should I specifically examine?
Thanks.

from csurf.

What is the configuration you have for this module (the arguments provided to csurf())?

from csurf.

For now, I pass only
csurf({ cookie: true });, nothing else.
I removed the custom value function, which I only used to test.
Could it depend to the secret key I pass to cookie-parser and express-session?

from csurf.

Cool. So the basic validation for that particular set up is just to check if the page that loads with the HTML form you put above should contain a Set-Cookie response header with a _csrf cookie. Then check if that web browser does indeed have that _csrf cookie stored in the cookie storage for it with the same value in the header. Then check that, when the form is submitted, that the web browser sends a Cookie header with the request and one of the values in that header is _csrf= and after the equals is the same value that was in Set-Cookie from before.

from csurf.

Uhm okay, so I should indeed test cookies. I'm gonna see and let you know soon.

from csurf.

Sorry, that was an issue with this tester who had cookies disabled without us noticing.
Thanks for your help to identify the issue, and sorry for the useless issue and any disturb.
I'm gonna close this issue.

from csurf.