Comments (8)
justinas
commented on May 5, 2024
2
Hi, there's an open PR #47 which is intended to fix this. I will try to review it in the coming days.
from nosurf.
frederikhors
commented on May 5, 2024
It's working for me.
from nosurf.
hazcod
commented on May 5, 2024
Did you test with setBaseCookie and http.Handler?
I see a reference to the hardcoded cookie name in https://github.com/justinas/nosurf/blob/master/handler.go#L115 and https://github.com/justinas/nosurf/blob/master/handler.go#L201
from nosurf.
frederikhors
commented on May 5, 2024
What is the problem?
from nosurf.
hazcod
commented on May 5, 2024
nosurf seems to be always using the hardcoded standard http.Cookie , ignoring setBaseCookie.
from nosurf.
frederikhors
commented on May 5, 2024
Ok. If this is what you mean by problem I can say you it is not. Because it works good. I'm using go.mod with: github.com/justinas/nosurf v0.0.0-20181122113328-3af30e51c05b version.
from nosurf.
hazcod
commented on May 5, 2024
Proof:
package main
import (
"fmt"
"github.com/justinas/nosurf"
"html/template"
"net/http"
)
var templateString = `
<!doctype html>
<html>
<body>
{{ if .name }}
<p>Your name: {{ .name }}</p>
{{ end }}
<form action="/" method="POST">
<input type="text" name="name">
<!-- Try removing this or changing its value
and see what happens -->
<input type="hidden" name="csrf_token" value="{{ .token }}">
<input type="submit" value="Send">
</form>
</body>
</html>
`
var templ = template.Must(template.New("t1").Parse(templateString))
func myFunc(w http.ResponseWriter, r *http.Request) {
context := make(map[string]string)
context["token"] = nosurf.Token(r)
if r.Method == "POST" {
context["name"] = r.FormValue("name")
}
templ.Execute(w, context)
}
func csrfHandler(next http.Handler) http.Handler {
csrfHandler := nosurf.New(next)
cookie := http.Cookie{
Name: "mycsrfcookie",
Path: "/",
Domain: "",
HttpOnly: true,
MaxAge: 3600,
SameSite: http.SameSiteStrictMode,
}
csrfHandler.SetBaseCookie(cookie)
return csrfHandler
}
func main() {
myHandler := http.HandlerFunc(myFunc)
fmt.Println("Listening on http://127.0.0.1:8000/")
http.ListenAndServe(":8000", csrfHandler(myHandler))
}
And see the default csrf_token cookie name:
curl -v http://localhost:8000/
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8000 (#0)
> GET / HTTP/1.1
> Host: localhost:8000
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Set-Cookie: csrf_token=RP/1hkGbkLfCi8B7113b8awsmFUOIUETjveNorsXyhs=; Path=/; Max-Age=3600; HttpOnly; SameSite=Strict
< Vary: Cookie
< Date: Fri, 11 Jan 2019 09:32:09 GMT
< Content-Length: 302
< Content-Type: text/html; charset=utf-8
<
<!doctype html>
<html>
<body>
<form action="/" method="POST">
<input type="text" name="name">
<input type="hidden" name="csrf_token" value="kYE8V0CedawvD+1fjETaoxZVyMITsxeYMYiS4qaIIG7VfsnRAQXlG+2ELSRbGQFSunlQlx2SVou/fx9AHZ/qdQ==">
<input type="submit" value="Send">
</form>
</body>
</html>
* Connection #0 to host localhost left intact
from nosurf.
frederikhors
commented on May 5, 2024
@hazcod sorry, everything else but the name. I never changed it. Sorry I misunderstood.
from nosurf.
Related Issues (20)
- Filtering out safe methods and excluded paths HOT 2
- Token value error HOT 6
- Send a response body in defaultFailureHandler HOT 2
- please consider updating tags or deleting the current tag HOT 3
- example is insecure HOT 4
- Remove Referer check HOT 1
- Possible flaw HOT 2
- Wiki page for newbies doubts and problems
- Doubts about many cookies and many Path for a single domain. HOT 13
- Prevent form resubmit HOT 1
- Logging HOT 1
- Combining Session and CSRF cookie HOT 3
- Is this normal behavior? HOT 5
- RegenerateToken generates two CSRF cookies when no previous CSRF cookie was set
- How does nosurf OTP protect against BREACH? HOT 5
- Inappropriate key in call to `context.WithValue`
- Ability to handle multiple cookies in context HOT 5
- Installing command of `nosurf` is missing in README.md
- CSRF failed with bad request HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nosurf.