Giters

gorilla / csrf

Package gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services 🔒

Home Page:https://gorilla.github.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CSRF protection working for one url and not for another

devasiajoseph opened this issue · comments

commented

I have two urls form which I am submitting the same request using the same javascript function to the same url

I have this URL : http://localhost:8080/p/forgot-password.html
This makes an ajax request to http://localhost:8080/api/uauth/password-reset-request

The above works fine the csrf token is verified.

Now I have another URL

http://localhost:8080/app/uauth/password-reset-start which makes the same ajax request to the same URL http://localhost:8080/api/uauth/password-reset-request

In the second case the response says CSRF token Invalid

In both cases I see the same cookie value for "_gorilla_csrf" being sent with the request
and X-CSRF-Token is sent in header

Versions

Go version: go version go1.13 linux/amd64

package version: 4b50158

**Code **

err := http.ListenAndServe(port,
		csrf.Protect(
			[]byte(core.SKey),
			csrf.Secure(false), // Pass it *to* this constructor
		)(r))

if err != nil {
	log.Println(err)
}

What did I miss?

commented
commented

Hi. Yes I can see the cookie value in network inspector in chrome developer tools. Both URLs have the same cookie value being sent
Cookie: _gorilla_csrf=MTU4Njg4NTQ5OHxJbkZZUm5CU2EwWnpaVlpHTUVJelRVZGhZazVYVVRRNFIyNVNNMEZrSzAxQllWbFZURk4yUkV4T2FFMDlJZ289fOgK4tH0ZVJLr9HKvIervQZvX2wuU116P0PMGVECPQ5u

commented

I think I found a way to make this work. If I directly load the URL it won't work in any path. But if I first load the root url that is in my case http://localhost:8080/ and then load any of the other urls , it seem to be working. I checked this after clearing all cookies and also verified this again in incognito mode in chrome.

I think this might be an issue

commented
commented

In a fresh incognito window this is being set in the response when the page is loaded
Set-Cookie: _gorilla_csrf=MTU4Njg4ODAwM3xJa3Q1TXpVeWFFOHdjMmcyVTA5UVJsbDRXbk5OZFVzMmIzRnZZVGh3VUV4UlVraFhlVlpTT0V0R2JWRTlJZ289fFTAl9VwwmpCNXzaNG4Nn64e_uLt-9YZFhDcDRrolJL7; Expires=Wed, 15 Apr 2020 06:13:23 GMT; Max-Age=43200; HttpOnly; SameSite

And when I click on the submit button an ajax call is made with no cookie being send on the request and the request fails

Now I refresh the page and make the same ajax request this cookie is being sent:

Cookie: _gorilla_csrf=MTU4Njg4ODA3MXxJa1Z5TWtwT1pXNHlURnBhTTBKUFEySXZhVGxsWW01VVQyeDRSSFpKU1V0ak5uTmlNVlp1UzJ3eGFuYzlJZ289fDf-nzajhiX7VfnrXEgrY2jo91VROIXdTfuCBn1sG1DF

and the request fails again saying invalid csrf

In both cases X-CSRF-Token is set and sent via ajax

Please let me know if you need further details

commented

Yes - so this clearly shows that the Path is not being set explicitly, and thus the cookie isn’t passed on a neighboring path in the hierarchy.

If you look at the Cookie stored in the browser the Path attribute will likely be scoped to the page it was issued on.

Set csrf.Path(“/“) and clear existing cookies for the broadest possible fix.

commented

Setting csrf.Path("/") seems to fix the problem. Thank you for the quick response.