[bug] CSRF verification fail if requests takes too long
sunshine69 opened this issue · comments
Describe the bug
CSRF verification fail if requests takes too long
…
Versions
Go version:
go version
go version
go version go1.13.6 linux/amd64
package version: run
git rev-parse HEADinside the repo
stevek@stevek-macbook 12:53 ~/g/s/g/g/csrf master> git rev-parse HEAD
4b50158
stevek@stevek-macbook 12:53 ~/g/s/g/g/csrf master>
…
Steps to Reproduce
I use the upload features in my app. When uploading small files - or doing any other form activities it works fine. The same session try to upload a large file (2.7G) when upload finsihed the app return CSRF invalid token error.
If I run it in the local development box and upload the same file which is much faster the error does not happen.
I suspects it has a timeout settings somewhere but searching around does not give me the answer yet.
Is there any timeout at the server when a csrf token is sumitted and failed to verify?
Thanks
…
Expected behavior
What output or behaviour were you expecting instead?
…
Code Snippets
A minimum viable code snippet can be useful! (use backticks to format it).
…
See the MaxAge option: https://godoc.org/github.com/gorilla/csrf#MaxAge
Default is 12 hours. I do not remember I set it anywhere then it should be default. The SessionStore I set to 4 hours too. So if it uses the cookie created by session store then it should be at least 4 hours.
The upload does take less than 30 mins only and it happened.
I will try to explicitly set MaxAge csrf.MaxAge(3600) to see it happens.
Thanks for you help.
Just tested and it does not work. It might be something else I am not aware of
The message after the upload finished is
Forbidden - CSRF token invalid
The workflow is straight forward. GET to /upload will presented with the form upload. Select file, upload, browser was sending data for about 15 to 30 minutes and when the server was processing and save the file and give response (aList is a slice of attachment created)
fmt.Fprintf(w, `<html><body><pre>OK Attachment created - +%v</pre>
<ul>
<li><a href="/">Home</a></li>
<li><a href="/upload">More uploads</a></li>
<li><a href="/list_attachment">List files</a></li>
</ul>
</body></html>`, aList)
I am thinking that the upload is not finished yet, and the server already refused the POST after the file uploading taking a during around 15 minutes.
Because the result is that the file upload failed, there is no file uploaded in the server, and no attachment object created at all.
All of it works fine if I run the server in localhost which has high speed upload. Or small files upload.
The code is below. I just comment out the last line and put the prnt debug. I am testing the case that without CSRF if the issues occurs.
router := mux.NewRouter().StrictSlash(true)
// router := StaticRouter()
CSRF_TOKEN := m.MakePassword(32)
csrf.MaxAge(4 * 3600)
CSRF := csrf.Protect(
[]byte(CSRF_TOKEN),
// instruct the browser to never send cookies during cross site requests
csrf.SameSite(csrf.SameSiteStrictMode),
csrf.TrustedOrigins([]string{"note.inxuanthuy.com", "note.xvt.technology"}),
// csrf.RequestHeader("X-CSRF-Token"),
// csrf.FieldName("authenticity_token"),
// csrf.ErrorHandler(http.HandlerFunc(serverError(403))),
)
csrf.Secure(true)
log.Printf("DEBUG temporary disable csrf %v\n", CSRF)
// router.Use(CSRF)
OK The test result is that now I dont have the issues but other issues which I will fix soon and retry - but other issues it not csrf related (it is the /tmp file system is too small to hold the temporary files)
set TMPDIR to somewhere else and start testing again ...
OK without CSRF enabled, the upload is a sucess. I will try to enable it again and see how it goes. But I can not relate to errors, one is for diskspace empty and other is csrf failure ..
Right, enable CSRF and it works now still. Not sure why it showed a completely CSRF error before but the actual error is the disk space running out.
Many thanks for your help.