CSRF protection working for one url and not for another
devasiajoseph opened this issue · comments
I have two urls form which I am submitting the same request using the same javascript function to the same url
I have this URL : http://localhost:8080/p/forgot-password.html
This makes an ajax request to http://localhost:8080/api/uauth/password-reset-request
The above works fine the csrf token is verified.
Now I have another URL
http://localhost:8080/app/uauth/password-reset-start which makes the same ajax request to the same URL http://localhost:8080/api/uauth/password-reset-request
In the second case the response says CSRF token Invalid
In both cases I see the same cookie value for "_gorilla_csrf" being sent with the request
and X-CSRF-Token is sent in header
…
Versions
Go version:
go version go1.13 linux/amd64
package version: 4b50158
…
**Code **
err := http.ListenAndServe(port,
csrf.Protect(
[]byte(core.SKey),
csrf.Secure(false), // Pass it *to* this constructor
)(r))
if err != nil {
log.Println(err)
}
What did I miss?
Hi. Yes I can see the cookie value in network inspector in chrome developer tools. Both URLs have the same cookie value being sent
Cookie: _gorilla_csrf=MTU4Njg4NTQ5OHxJbkZZUm5CU2EwWnpaVlpHTUVJelRVZGhZazVYVVRRNFIyNVNNMEZrSzAxQllWbFZURk4yUkV4T2FFMDlJZ289fOgK4tH0ZVJLr9HKvIervQZvX2wuU116P0PMGVECPQ5u
I think I found a way to make this work. If I directly load the URL it won't work in any path. But if I first load the root url that is in my case http://localhost:8080/ and then load any of the other urls , it seem to be working. I checked this after clearing all cookies and also verified this again in incognito mode in chrome.
I think this might be an issue
In a fresh incognito window this is being set in the response when the page is loaded
Set-Cookie: _gorilla_csrf=MTU4Njg4ODAwM3xJa3Q1TXpVeWFFOHdjMmcyVTA5UVJsbDRXbk5OZFVzMmIzRnZZVGh3VUV4UlVraFhlVlpTT0V0R2JWRTlJZ289fFTAl9VwwmpCNXzaNG4Nn64e_uLt-9YZFhDcDRrolJL7; Expires=Wed, 15 Apr 2020 06:13:23 GMT; Max-Age=43200; HttpOnly; SameSite
And when I click on the submit button an ajax call is made with no cookie being send on the request and the request fails
Now I refresh the page and make the same ajax request this cookie is being sent:
Cookie: _gorilla_csrf=MTU4Njg4ODA3MXxJa1Z5TWtwT1pXNHlURnBhTTBKUFEySXZhVGxsWW01VVQyeDRSSFpKU1V0ak5uTmlNVlp1UzJ3eGFuYzlJZ289fDf-nzajhiX7VfnrXEgrY2jo91VROIXdTfuCBn1sG1DF
and the request fails again saying invalid csrf
In both cases X-CSRF-Token is set and sent via ajax
Please let me know if you need further details
Yes - so this clearly shows that the Path is not being set explicitly, and thus the cookie isn’t passed on a neighboring path in the hierarchy.
If you look at the Cookie stored in the browser the Path attribute will likely be scoped to the page it was issued on.
Set csrf.Path(“/“)
and clear existing cookies for the broadest possible fix.
See the docs for Path: https://pkg.go.dev/github.com/gorilla/csrf?tab=doc#Path
... as well as the “Scope of Cookies” section here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
Setting csrf.Path("/")
seems to fix the problem. Thank you for the quick response.