posted 6 years ago
Why would you want to remove the CSRF token?
Cookie based authentication pretty much just works by storing the currently logged-in user in a signed cookie. When the browser sends such a cookie to the server, it says "Hey, I previously logged in as this user, so don't ask me for a password again". To prevent a client from forging the user name, the cookie is signed so it can be verified by the server.