So I am developing a small auth-module for an application of mine, mainly to learn how session based auth really works.

I thought it would be cool if it could also provide csrf protection, so I kinda dug into the topic and got extremely confused.

From my understanding, the csrf-token is created at the beginning of the session and than saved in a db on the server and a cookie on the client side. Now on every request, the csrf token is sent through a header by the client.

Is it better to provide a new token per request?

I thought about using the csrf module to create a secret and than hash it with a salt on every request, but that introduces a whole lot of new problems:

Will the latency be too high? What to do if there hasn't been a request already through which the token has been sent?