Weird _csrf cookie issue in safari.
SimeonC opened this issue · comments
I have this odd issue with the _csrf cookie in safari (not sure if this is csurf library or not).
I can replicate this in my app by loading up "https://crm-node:3443/tickets" with no cookie and it decides to set 2.
I use this setup code:
app.use require('express-session')
cookie:
httpOnly: true
secure: true
maxAge: 3600000 * 8 # hour in ms * 8 = 8 hours
secret: security.cookieSecret
store: sessionstore
saveUninitialized: true
resave: true
csrf = require "csurf"
app.use csrf cookie: true
app.use (req, res, next) ->
res.cookie 'XSRF-TOKEN', req.csrfToken()
next()
# error handler
app.use (err, req, res, next) ->
if err.code isnt 'EBADCSRFTOKEN' then return next err
# handle CSRF token errors here
res.status 403
res.send 'session has expired or form tampered with'
And looking on safari for some reason I get the following, causing errors for some bizarre reason:
Note the duplicate _csrf cookie, one for '/' and one for '/tickets'.
Is this a bug or some kind of user error?
Yes, this is addressed by #41 and will be in the next major; the short version is that you nee to clear your cookies to fix the state you're in and then define an explicit path for the _csrf
cookie (assuming you even need it; you're using express.session
, so there is no point of even using the cookie
option in this module if you can store the secret there):
app.use(csurf({
cookie: {path: '/'}
}))
Let me know if this didn't fix your issue and I can always re-open :)
Thanks will do, I have some other work I have to get around to before I can fully test it but my preliminary tests say that that fixes it.