Comments (8)
utrack
commented on September 23, 2024
1
Oh wait, I've just understood what you mean.
CSRF token is generated once per user session until it expires or gets deleted.
from gin-csrf.
utrack
commented on September 23, 2024
1
Well, you can, but CSRF library is a poor choice for this.
You can easily do the same yourself by giving out random token in the form (unique per user) and storing it in the session, and then validating+removing it from the session once POST had happened. You'll need some session storage for that (like Redis or files).
from gin-csrf.
utrack
commented on September 23, 2024
Are you replaying the exact request, or re-creating CSRF tokens as legitimate requests would do?
from gin-csrf.
yb3616
commented on September 23, 2024
package main
import (
"github.com/gin-contrib/sessions"
"github.com/gin-gonic/gin"
"github.com/utrack/gin-csrf"
)
func main() {
r := gin.Default()
store := sessions.NewCookieStore([]byte("Here is some characters just for security."))
r.Use(sessions.Sessions("GinSessionID", store))
r.Use(csrf.Middleware(csrf.Options{
Secret: "secret123",
ErrorFunc: func(c *gin.Context) {
c.String(400, "CSRF token mismatch")
c.Abort()
},
}))
r.LoadHTMLGlob("assets/*")
r.GET("/protected", func(c *gin.Context) {
c.HTML(200, "index.html", gin.H{
"csrf": csrf.GetToken(c),
})
})
r.POST("/protected", func(c *gin.Context) {
c.String(200, "CSRF token is valid")
})
r.Run(":8080")
}
<form method="post">
<input type="hidden" name="_csrf" value="{{.csrf}}">
<input type="submit">
</form>
from gin-csrf.
yb3616
commented on September 23, 2024
The file "assets/index.html" is just a form like input type="text" name="_csrf" value="{{.csrf}}
from gin-csrf.
yb3616
commented on September 23, 2024
I only get localhost:8080/protected once, But post it and then refresh the site over and over again. It always show me CSRF token is valid
from gin-csrf.
utrack
commented on September 23, 2024
It is correct behaviour, since you're always receiving new csrf token when going to assets/index.
You should try replaying request by cURL or something like that.
from gin-csrf.
yb3616
commented on September 23, 2024
Thanks, I got it. But there is still a problem.I used to disable the user post the data more than one time by using a random data just like csrf. I wonder if I can do this by using your code ?
from gin-csrf.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gin-csrf.