Comments (13)
from nosurf.
Hi,
As far as I am aware, you do not need to set Path
for each page: having no Path
attribute should function the same as Path: "/"
.
Path
is basically just a security measure, similar to Domain
. For example, if I host my site at example.com/justinas
and you have yours example.com/frederikhors
, you would set the path to /frederikhors
in order to not expose your cookies to my application.
Nosurf handler will by default both verify and set a cookie, no matter what route you hit. Even Exempt*()
functions only skip the verification - the cookie is still generated. See discussions on #22 or #37 for more info.
from nosurf.
Ok, @justinas I understood.
What I mean is: Do I really need all the cookies for each Path? (more cookies more request size).
If I use surfing.SetBaseCookie(http.Cookie{Path: "/"})
it overwrites every time my csrf cookie and I'm ok.
Now everytime nosurf generates a cookie I have just one cookie with Path: "/" and Domain: ".mydomain.com".
Every page can use it (in case we want to hypothesize an eventual form rendered on each page).
The questions:
- Is this behavior security safe?
- Am I wrong doing this?
I can do this - IMO - because I do not have any subdomain like in your example:
For example, if I host my site at example.com/justinas and you have yours example.com/frederikhors, you would set the path to /frederikhors in order to not expose your cookies to my application.
from nosurf.
Having just one cookie with a path and domain like that is absolutely fine and in fact it is the default behavior even if you do not set Path & Domain explicitly.
from nosurf.
Ok. And thanks.
Just one note:
it is the default behavior even if you do not set Path & Domain explicitly.
It is not.
If I don't use explicitely this code: surfing.SetBaseCookie(http.Cookie{Path: "/"})
I have many cookies with many different paths with those routes in the first post of this thread.
from nosurf.
@elithrar ok. So I can remove the constant Path: "/"
in code.
Thanks.
from nosurf.
from nosurf.
@elithrar I'm trying but there is a problem in what you said.
See this:
And in each network call I have both "X-CSRF-Token", see here:
I think you want to keep it, so that the cookie is valid across all paths.
I changed my mind because you said the cookie is just sent with the accurate path, but as you can see in screens this doesn't work. Maybe for the localhost?
And as you can see there is also a strange thing: in network call cookies there are both "X-CSRF-Token" without path: just a "N/A", neither the HTTP-Only check. Why?
from nosurf.
from nosurf.
from nosurf.
Are these AJAX requests? Where is X-CSRF-Token coming from? I don't see you setting a cookie with that name here at all. Is your AJAX middleware sending the right thing?
from nosurf.
That cookie comes from func addCookie
. I changed the name.
from nosurf.
@elithrar That cookie comes from func addCookie
. I changed the name.
from nosurf.
Related Issues (20)
- Filtering out safe methods and excluded paths HOT 2
- Token value error HOT 6
- Send a response body in defaultFailureHandler HOT 2
- please consider updating tags or deleting the current tag HOT 3
- example is insecure HOT 4
- Remove Referer check HOT 1
- Possible flaw HOT 2
- SetBaseCookie not having effect HOT 8
- Wiki page for newbies doubts and problems
- Prevent form resubmit HOT 1
- Logging HOT 1
- Combining Session and CSRF cookie HOT 3
- Is this normal behavior? HOT 5
- RegenerateToken generates two CSRF cookies when no previous CSRF cookie was set
- How does nosurf OTP protect against BREACH? HOT 5
- Inappropriate key in call to `context.WithValue`
- Ability to handle multiple cookies in context HOT 5
- Installing command of `nosurf` is missing in README.md
- CSRF failed with bad request HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nosurf.