Comments (8)
Hi, there's an open PR #47 which is intended to fix this. I will try to review it in the coming days.
from nosurf.
It's working for me.
from nosurf.
Did you test with setBaseCookie
and http.Handler
?
I see a reference to the hardcoded cookie name in https://github.com/justinas/nosurf/blob/master/handler.go#L115 and https://github.com/justinas/nosurf/blob/master/handler.go#L201
from nosurf.
What is the problem?
from nosurf.
nosurf seems to be always using the hardcoded standard http.Cookie , ignoring setBaseCookie
.
from nosurf.
Ok. If this is what you mean by problem I can say you it is not. Because it works good. I'm using go.mod with: github.com/justinas/nosurf v0.0.0-20181122113328-3af30e51c05b
version.
from nosurf.
Proof:
package main
import (
"fmt"
"github.com/justinas/nosurf"
"html/template"
"net/http"
)
var templateString = `
<!doctype html>
<html>
<body>
{{ if .name }}
<p>Your name: {{ .name }}</p>
{{ end }}
<form action="/" method="POST">
<input type="text" name="name">
<!-- Try removing this or changing its value
and see what happens -->
<input type="hidden" name="csrf_token" value="{{ .token }}">
<input type="submit" value="Send">
</form>
</body>
</html>
`
var templ = template.Must(template.New("t1").Parse(templateString))
func myFunc(w http.ResponseWriter, r *http.Request) {
context := make(map[string]string)
context["token"] = nosurf.Token(r)
if r.Method == "POST" {
context["name"] = r.FormValue("name")
}
templ.Execute(w, context)
}
func csrfHandler(next http.Handler) http.Handler {
csrfHandler := nosurf.New(next)
cookie := http.Cookie{
Name: "mycsrfcookie",
Path: "/",
Domain: "",
HttpOnly: true,
MaxAge: 3600,
SameSite: http.SameSiteStrictMode,
}
csrfHandler.SetBaseCookie(cookie)
return csrfHandler
}
func main() {
myHandler := http.HandlerFunc(myFunc)
fmt.Println("Listening on http://127.0.0.1:8000/")
http.ListenAndServe(":8000", csrfHandler(myHandler))
}
And see the default csrf_token
cookie name:
curl -v http://localhost:8000/
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8000 (#0)
> GET / HTTP/1.1
> Host: localhost:8000
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Set-Cookie: csrf_token=RP/1hkGbkLfCi8B7113b8awsmFUOIUETjveNorsXyhs=; Path=/; Max-Age=3600; HttpOnly; SameSite=Strict
< Vary: Cookie
< Date: Fri, 11 Jan 2019 09:32:09 GMT
< Content-Length: 302
< Content-Type: text/html; charset=utf-8
<
<!doctype html>
<html>
<body>
<form action="/" method="POST">
<input type="text" name="name">
<input type="hidden" name="csrf_token" value="kYE8V0CedawvD+1fjETaoxZVyMITsxeYMYiS4qaIIG7VfsnRAQXlG+2ELSRbGQFSunlQlx2SVou/fx9AHZ/qdQ==">
<input type="submit" value="Send">
</form>
</body>
</html>
* Connection #0 to host localhost left intact
from nosurf.
@hazcod sorry, everything else but the name. I never changed it. Sorry I misunderstood.
from nosurf.
Related Issues (20)
- Filtering out safe methods and excluded paths HOT 2
- Token value error HOT 6
- Send a response body in defaultFailureHandler HOT 2
- please consider updating tags or deleting the current tag HOT 3
- example is insecure HOT 4
- Remove Referer check HOT 1
- Possible flaw HOT 2
- Wiki page for newbies doubts and problems
- Doubts about many cookies and many Path for a single domain. HOT 13
- Prevent form resubmit HOT 1
- Logging HOT 1
- Combining Session and CSRF cookie HOT 3
- Is this normal behavior? HOT 5
- RegenerateToken generates two CSRF cookies when no previous CSRF cookie was set
- How does nosurf OTP protect against BREACH? HOT 5
- Inappropriate key in call to `context.WithValue`
- Ability to handle multiple cookies in context HOT 5
- Installing command of `nosurf` is missing in README.md
- CSRF failed with bad request HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nosurf.