fix: #7115

src/controllers/api.js

@@ -57,7 +57,7 @@ apiController.loadConfig = function (req, callback) {
 	config.requireEmailConfirmation = meta.config.requireEmailConfirmation === 1;
 	config.topicPostSort = meta.config.topicPostSort || 'oldest_to_newest';
 	config.categoryTopicSort = meta.config.categoryTopicSort || 'newest_to_oldest';
-	config.csrf_token = req.csrfToken && req.csrfToken();
+	config.csrf_token = !req.isSpider() && req.csrfToken && req.csrfToken();
 	config.searchEnabled = plugins.hasListeners('filter:search.query');
 	config.bootswatchSkin = meta.config.bootswatchSkin || '';
 	config.enablePostHistory = (meta.config.enablePostHistory || 1) === 1;

src/middleware/index.js

@@ -32,7 +32,15 @@ middleware.regexes = {
 	timestampedUpload: /^\d+-.+$/,
 };
 
-middleware.applyCSRF = csrf();
+const csrfMiddleware = csrf();
+
+middleware.applyCSRF = function(req, res, next) {
+	if (req.uid >= 0) {
+		csrfMiddleware(req, res, next);
+	} else {
+		setImmediate(next);
+	}
+};
 
 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');
 

src/webserver.js

@@ -174,8 +174,8 @@ function setupExpressApp(app, callback) {
 		secret: nconf.get('secret'),
 		key: nconf.get('sessionKey'),
 		cookie: setupCookie(),
-		resave: true,
-		saveUninitialized: true,
+		resave: nconf.get('sessionResave') || false,
+		saveUninitialized: nconf.get('sessionSaveUninitialized') || false,
 	}));
 
 	var hsts_option = {