Have successfully gotten the csrf middleware working in express as per previous SO questions. It’s generating the tokens fine however it is denying ALL form submissions.

The only possible conflict I can see is that I am using redis as a session store with connect-redis and plugging socket.io into the session, but I’ve commented out the socket bits and it’s still not playing nice.

This is the order I’m calling my middleware is somethign possibly screwy here?

(CoffeeScript)

app.configure ->
    app.set 'views', __dirname + '/views'
    app.set 'view engine', 'jade'
    app.use express.bodyParser()
    app.use express.methodOverride()
    app.use express.cookieParser()
    app.use express.session
        secret: "itsasecret"
        store: sessionStore
    app.use express.csrf()
    app.dynamicHelpers
        token: (req, res) ->
        req.session._csrf
    app.use app.router
    app.use express.static(__dirname + '/public')

This is the route that responds to the posted data.

(This is not development code, just me learning node I am well aware this would be a monstrosity if I put it online)

app.post '/admin/logintry', (req, res) ->
    if req.body.username is 'Tim' and req.body.password is 'TempPassword'
        req.session.adminIn = true
        res.redirect '/admin/home'
    else
        res.redirect '/admin/login?failed=true'

Here is the HTML that is reaching the browser on the form page:

<input type="hidden" token="5ODFxml1QAhQvOmq1QE6Qd7n">

And the response received from “/admin/logintry”:

Forbidden

New to Node, Express and SO, only recently properly learnt javascript, unsure where to even start looking for issues. Any help, even just on where to start digging greatly appreciated.

Cheers.