Issue opened for the creation of a wiki page that summarizes the doubts and problems for newbies (#52).

Writing #52 I had a doubt:

I need to use surfing.SetBaseCookie(http.Cookie{Path: "/"})?

I don't know if many csrf cookies makes sense if I have these routes:

• "/"
• "/login" - server rendered html form with csrf
• "/logout" - just get which logouts
• "/api" - json api endpoint POST, GET, so it needs CSRF protection
• "/oldApiEndpoint"

Why nosurf keep creating cookies for these routes? I think I just need one cookie on the Path: "/" and Domain: ".mysite.com".

Where am I wrong?

Hi,

As far as I am aware, you do not need to set Path for each page: having no Path attribute should function the same as Path: "/".

Path is basically just a security measure, similar to Domain. For example, if I host my site at example.com/justinas and you have yours example.com/frederikhors, you would set the path to /frederikhors in order to not expose your cookies to my application.

Nosurf handler will by default both verify and set a cookie, no matter what route you hit. Even Exempt*() functions only skip the verification - the cookie is still generated. See discussions on #22 or #37 for more info.

Ok, @justinas I understood.

What I mean is: Do I really need all the cookies for each Path? (more cookies more request size).

If I use surfing.SetBaseCookie(http.Cookie{Path: "/"}) it overwrites every time my csrf cookie and I'm ok.

Now everytime nosurf generates a cookie I have just one cookie with Path: "/" and Domain: ".mydomain.com".

Every page can use it (in case we want to hypothesize an eventual form rendered on each page).

The questions:

• Is this behavior security safe?
• Am I wrong doing this?

I can do this - IMO - because I do not have any subdomain like in your example:

For example, if I host my site at example.com/justinas and you have yours example.com/frederikhors, you would set the path to /frederikhors in order to not expose your cookies to my application.

Having just one cookie with a path and domain like that is absolutely fine and in fact it is the default behavior even if you do not set Path & Domain explicitly.

Ok. And thanks.

Just one note:

it is the default behavior even if you do not set Path & Domain explicitly.

It is not.

If I don't use explicitely this code: surfing.SetBaseCookie(http.Cookie{Path: "/"}) I have many cookies with many different paths with those routes in the first post of this thread.

@elithrar ok. So I can remove the constant Path: "/" in code.

Thanks.

@elithrar I'm trying but there is a problem in what you said.

See this:

And in each network call I have both "X-CSRF-Token", see here:

I think you want to keep it, so that the cookie is valid across all paths.

I changed my mind because you said the cookie is just sent with the accurate path, but as you can see in screens this doesn't work. Maybe for the localhost?

And as you can see there is also a strange thing: in network call cookies there are both "X-CSRF-Token" without path: just a "N/A", neither the HTTP-Only check. Why?

@elithrar My code here: #52

Are these AJAX requests? Where is X-CSRF-Token coming from? I don't see you setting a cookie with that name here at all. Is your AJAX middleware sending the right thing?

That cookie comes from func addCookie. I changed the name.

@elithrar That cookie comes from func addCookie. I changed the name.