Consider to add some important notes for session config if encounter csrf token invalid

[Cryxto]

Sometimes when we receive desired return of cookie and either header/body for csrf to match even both have right value , it still false when validated.

The culprit was the session , it seems when validating it couldn't match the session ID between generation and validation, so it failed. The option in my case that i should turn the saveUninitialized to true .

[psibean]

This is more of a control flow issue than it is a configuration issue. If you don't yet have a session (or some other cookie to re-identify requests coming from a particular "user") then you don't need CSRF protection yet.

Whilst setting saveUninitialized to true is an option and it does fix this particular "problem" - it's not the only option and it's not necessarily the right choice. In most cases it is the correct choice, as whether or not the session is modified is different to whether or not you want to track returning requests as coming from the same individual.

The alternatives would be to:

• Make sure you don't create a session until you actually need to do so, this way you're only creating a session when you're intending to modify it in the first place, meaning you're only creating sessions when they are intended to be initialised. This is entirely within ones control; or
• Whenever a new session is generated, generate a new CSRF token for that session - you already need to do this when logging in/out and calling refenerate on express-session, but it could be tricky to determine when a new session is created, would not recommend this option.

Typically setting saveUninitialized to true, or following the former alternative are the best options.

This could be something worth adding to the FAQ.