add option for per-session CSRF token (#105)

swsch · web-flow · commit 9b5bc5b882d6 · 2025-07-31T13:38:43.000+03:00
diff --git a/spec/csrf_spec.cr b/spec/csrf_spec.cr
@@ -112,6 +112,22 @@ describe "CSRF" do
     client_response.status_code.should eq 403
     client_response.body.should eq "Error from handler"
   end
+
+  it "does not change the token when per_session is set" do
+    handler = Kemal::Session::CSRF.new(per_session: true)
+    request = HTTP::Request.new("POST", "/first",
+      body: "foo=bar",
+      headers: HTTP::Headers{"Content-Type" => "application/x-www-form-urlencoded"})
+    io, context = process_request(handler, request)
+    first_response = HTTP::Client::Response.from_io(io, decompress: false)
+    first_token = context.session.string("csrf")
+    request = HTTP::Request.new("POST", "/second",
+      body: "authenticity_token=#{first_token}",
+      headers: HTTP::Headers{"Content-Type" => "application/x-www-form-urlencoded",
+                             "Cookie"       => first_response.headers["Set-Cookie"]})
+    io, context = process_request(handler, request)
+    context.session.string("csrf").should eq first_token
+  end
 end
 
 def create_request_and_return_io(handler, request)
diff --git a/src/kemal-session/csrf.cr b/src/kemal-session/csrf.cr
@@ -16,6 +16,7 @@ module Kemal
         @allowed_routes = [] of String,
         @http_only : Bool = false,
         @samesite : HTTP::Cookie::SameSite? = nil,
+        @per_session : Bool = false,
       )
         setup
       end
@@ -54,7 +55,7 @@ module Kemal
                     end
         current_token = context.session.string("csrf")
         if current_token == submitted
-          context.session.string("csrf", Random::Secure.hex(16))
+          context.session.string("csrf", Random::Secure.hex(16)) unless @per_session
 
           return call_next(context)
         else
