is that how you interpreted it? it's not until paragraph 13 (!) where author states:
"Josh realised my app might be somehow getting cookies from visiting our site inside this web view, and then sharing those cookies with AFNetworking's underlying NSURLSession, which is handling my requests."
which would have been clear if they'd checked the cookies of the NSURLSession request.
then, in paragraph 17, the author starts concluding:
> "And so the the CSRF check was failing every time, because I wasn't sending a Referer header, or any other related CSRF bits."
which would have been clear if they tried comparing a working request to a failing request.
and finally,
> "And of course, I didn't even know about these cookies, so I wasn't deleting them on log out"
which leads me believe the author never checked the request at all, let alone before anything else.
i'm ignoring the fact the bug sat for months, and took a second person to fix, and got a write up on the blog... so i'm going to have to assume my advice has an audience (like anyone who would classify this bug as "bizarre").
(not trying to pass judgement on the author here at all... we have all been there :))
"Josh realised my app might be somehow getting cookies from visiting our site inside this web view, and then sharing those cookies with AFNetworking's underlying NSURLSession, which is handling my requests."
which would have been clear if they'd checked the cookies of the NSURLSession request.
then, in paragraph 17, the author starts concluding:
> "And so the the CSRF check was failing every time, because I wasn't sending a Referer header, or any other related CSRF bits."
which would have been clear if they tried comparing a working request to a failing request.
and finally,
> "And of course, I didn't even know about these cookies, so I wasn't deleting them on log out"
which leads me believe the author never checked the request at all, let alone before anything else.
i'm ignoring the fact the bug sat for months, and took a second person to fix, and got a write up on the blog... so i'm going to have to assume my advice has an audience (like anyone who would classify this bug as "bizarre").
(not trying to pass judgement on the author here at all... we have all been there :))