Comments (5)
Could you elaborate on the issue? Although the masked token will be different across page (frame) loads, the unmasked token remains the same for the lifetime of the cookie, meaning any of the masked tokens should work when submitted?
from nosurf.
How can I provide to you more information?
Here's the middleware:
v1ClientRouter.Use(func() gin.HandlerFunc {
u, _ := url.Parse(os.Getenv("BASE_URL"))
nextHandler, wrapper := adapter.New()
csrfHandler := nosurf.New(nextHandler)
csrfHandler.SetBaseCookie(http.Cookie{
Name: "csrf_token",
Path: u.Path,
Domain: u.Host,
Expires: time.Now().Add(5 * time.Minute),
RawExpires: "",
MaxAge: 60 * 5,
Secure: true,
HttpOnly: true,
SameSite: http.SameSiteNoneMode,
})
csrfHandler.ExemptPath(v1ClientRouter.BasePath() + "/action")
return wrapper(csrfHandler)
}())
I set the token in the template like this:
c.HTML(http.StatusOK, "form.tmpl", gin.H{
"CSRF": nosurf.Token(c.Request),
...
})
On form submission I include the CSRF token and check like this:
nosurf.VerifyToken(nosurf.Token(c.Request), body.CSRFToken)
It works randomly, that's why I think it's overwriting the token/cookie depending on which iframe loads first on the screen
2022-10-19T10:48:30.377+0200 debug logging/logging.go:122 NOSURF {"verification": false, "token": "44ZWy3vzYszGx7VvZWMDRq+9dVwzTliqFwxzyZXrr50/tCtU1smMFw4xw8i8o6UAFmAFrJ0FJO9qvnMRkkXlYw==", "body.CSRFToken": "VhG8BSyab2jMh7dcBp8HNn8whRWRCuupTGIuRe+6TSyAJdx66Vxp6ZFXn7gYRiuPYWlba3AjZMbgbnuGQy0wag=="}
2022-10-19T10:48:35.781+0200 debug logging/logging.go:122 NOSURF {"verification": true, "token": "/9d5EIpIsRJ2enCleZS0To6ogx52q55P5uGPy2go1/Aj5QSPJ3Jfyb6MBgKgVBIIN3Xz7tjg4gqbU48Tb4adDg==", "body.CSRFToken": "9i9Eh/ONUH/HDvbE4AwCQmgg13lcZ/o58z8ubk4C9YYqHTkYXre+pA/4gGM5zKQE0f2nifIshnyOjS62Say/eA=="}
from nosurf.
@justinas any thoughts on this?
from nosurf.
I think I understand the issue now. nosurf
works correctly when the user's first-interaction-ever with the website is not concurrent with any other page load on the website. However, when doing two "initial loads" at the same time, it tries to set two cookies at the same time.
I do not yet have a good fix in mind for this. Is there a way in your case to make some initial request that would set the cookie? Then, you can load the two frames and they will operate on the existing cookie, and not set a new one.
By the way, this seems like it will not work as expected:
Expires: time.Now().Add(5 * time.Minute),
This sets all nosurf cookies to expire at the absolute time "5 minutes after the middleware is initially constructed". I am not sure if MaxAge
overrides this, if so, this Expires
is not even necessary.
In general, setting the cookie to such a short duration, will exacerbate such problems, as the cookies will expire more often. nosurf
is designed to work with long-living cookies. That is why MaxAge
is set to 1 year by default.
from nosurf.
I'm afraid there's no possibility of an initial request as it's used by a 3rd party.
from nosurf.
Related Issues (20)
- Filtering out safe methods and excluded paths HOT 2
- Token value error HOT 6
- Send a response body in defaultFailureHandler HOT 2
- please consider updating tags or deleting the current tag HOT 3
- example is insecure HOT 4
- Remove Referer check HOT 1
- Possible flaw HOT 2
- SetBaseCookie not having effect HOT 8
- Wiki page for newbies doubts and problems
- Doubts about many cookies and many Path for a single domain. HOT 13
- Prevent form resubmit HOT 1
- Logging HOT 1
- Combining Session and CSRF cookie HOT 3
- Is this normal behavior? HOT 5
- RegenerateToken generates two CSRF cookies when no previous CSRF cookie was set
- How does nosurf OTP protect against BREACH? HOT 5
- Inappropriate key in call to `context.WithValue`
- Installing command of `nosurf` is missing in README.md
- CSRF failed with bad request HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nosurf.