I have this odd issue with the _csrf cookie in safari (not sure if this is csurf library or not).

I can replicate this in my app by loading up "https://crm-node:3443/tickets" with no cookie and it decides to set 2.

I use this setup code:

    app.use require('express-session')
        cookie:
            httpOnly: true
            secure: true
            maxAge: 3600000 * 8 # hour in ms * 8 = 8 hours
        secret: security.cookieSecret
        store: sessionstore
        saveUninitialized: true
        resave: true
    csrf = require "csurf"
    app.use csrf cookie: true
    app.use (req, res, next) ->
        res.cookie 'XSRF-TOKEN', req.csrfToken()
        next()
    # error handler
    app.use (err, req, res, next) ->
        if err.code isnt 'EBADCSRFTOKEN' then return next err

        # handle CSRF token errors here
        res.status 403
        res.send 'session has expired or form tampered with'

And looking on safari for some reason I get the following, causing errors for some bizarre reason:

Note the duplicate _csrf cookie, one for '/' and one for '/tickets'.

Is this a bug or some kind of user error?

Yes, this is addressed by #41 and will be in the next major; the short version is that you nee to clear your cookies to fix the state you're in and then define an explicit path for the _csrf cookie (assuming you even need it; you're using express.session, so there is no point of even using the cookie option in this module if you can store the secret there):

app.use(csurf({
  cookie: {path: '/'}
}))

Let me know if this didn't fix your issue and I can always re-open :)

Thanks will do, I have some other work I have to get around to before I can fully test it but my preliminary tests say that that fixes it.