A good reason, which you have sort of touched on, is that once the CSRF cookie has been received, it is then available for use throughout the application in client script for use in both regular forms and AJAX POSTs. This will make sense in a JavaScript heavy application such as one employed by AngularJS … Read more
Cross-Site Request Forgery (CSRF) in simple words Assume you are currently logged into your online banking at www.mybank.com Assume a money transfer from mybank.com will result in a request of (conceptually) the form http://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>. (Your account number is not needed, because it is implied by your login.) You visit www.cute-cat-pictures.org, not knowing that it is … Read more