Doubts about many cookies and many Path for a single domain. about nosurf HOT 13 OPEN

from nosurf.

Hi,

As far as I am aware, you do not need to set Path for each page: having no Path attribute should function the same as Path: "/".

Path is basically just a security measure, similar to Domain. For example, if I host my site at example.com/justinas and you have yours example.com/frederikhors, you would set the path to /frederikhors in order to not expose your cookies to my application.

Nosurf handler will by default both verify and set a cookie, no matter what route you hit. Even Exempt*() functions only skip the verification - the cookie is still generated. See discussions on #22 or #37 for more info.

from nosurf.

Ok, @justinas I understood.

What I mean is: Do I really need all the cookies for each Path? (more cookies more request size).

If I use surfing.SetBaseCookie(http.Cookie{Path: "/"}) it overwrites every time my csrf cookie and I'm ok.

Now everytime nosurf generates a cookie I have just one cookie with Path: "/" and Domain: ".mydomain.com".

Every page can use it (in case we want to hypothesize an eventual form rendered on each page).

The questions:

• Is this behavior security safe?
• Am I wrong doing this?

I can do this - IMO - because I do not have any subdomain like in your example:

For example, if I host my site at example.com/justinas and you have yours example.com/frederikhors, you would set the path to /frederikhors in order to not expose your cookies to my application.

from nosurf.

Having just one cookie with a path and domain like that is absolutely fine and in fact it is the default behavior even if you do not set Path & Domain explicitly.

from nosurf.

Ok. And thanks.

Just one note:

it is the default behavior even if you do not set Path & Domain explicitly.

It is not.

If I don't use explicitely this code: surfing.SetBaseCookie(http.Cookie{Path: "/"}) I have many cookies with many different paths with those routes in the first post of this thread.

from nosurf.

@elithrar ok. So I can remove the constant Path: "/" in code.

Thanks.

from nosurf.

from nosurf.

@elithrar I'm trying but there is a problem in what you said.

See this:

And in each network call I have both "X-CSRF-Token", see here:

I think you want to keep it, so that the cookie is valid across all paths.

I changed my mind because you said the cookie is just sent with the accurate path, but as you can see in screens this doesn't work. Maybe for the localhost?

And as you can see there is also a strange thing: in network call cookies there are both "X-CSRF-Token" without path: just a "N/A", neither the HTTP-Only check. Why?

from nosurf.

from nosurf.

@elithrar My code here: #52

from nosurf.

Are these AJAX requests? Where is X-CSRF-Token coming from? I don't see you setting a cookie with that name here at all. Is your AJAX middleware sending the right thing?

from nosurf.

That cookie comes from func addCookie. I changed the name.

from nosurf.

@elithrar That cookie comes from func addCookie. I changed the name.

from nosurf.