Sente requires a csrf token to create the client connection. Which i assume gets sent back to the server to get verified. However, the examples confuse me because i expect the csrf token to be per user session or per request, and in the example there pulling it from the index.html, which isn't really bound to a specific session or request. And In many setups you have a CDN cache an index.html and send it to multilpe users, usually they prompt the user to login, and then the SPA is loaded.

So maybe what's making this hard is that the login depends on the websocket connection.

actually i might be falsely assuming a user session "starts" after they login.

yea, i guess in this case, were just worried about cross site, not cross user leaks.