Dockery/Trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2026-03-15 16:40:22 +01:00
Code Issues Packages Projects Releases Activity

fix(server): uninitialized sessions causing bad CSRF errors

Browse Source
This commit is contained in:
Elian Doran
2026-03-14 23:31:17 +02:00
parent 693919b21a
commit c8a546ef1e
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/server/src/routes/session_parser.ts
View File

@@ -102,7 +102,11 @@ export const sessionStore = new SQLiteSessionStore();
const sessionParser: express.RequestHandler = session({
secret: sessionSecret,
resave: false, // true forces the session to be saved back to the session store, even if the session was never modified during the request.
saveUninitialized: false, // true forces a session that is "uninitialized" to be saved to the store. A session is uninitialized when it is new but not modified.
saveUninitialized: true, // Ensures new sessions are always persisted and the session cookie is sent on the first response.
// This is required for csrf-csrf v4, which binds CSRF tokens to the session ID via HMAC.
// With saveUninitialized: false, a brand-new session would never be saved (and its cookie
// never sent) when noAuthentication=true, causing every request to get a different ephemeral
// session ID and making CSRF validation fail for all API calls.
rolling: true, // forces the session to be saved back to the session store, resetting the expiration date.
cookie: {
path: "/",