-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Doubts about many cookies and many Path for a single domain. #53
Comments
Hi, As far as I am aware, you do not need to set
Nosurf handler will by default both verify and set a cookie, no matter what route you hit. Even |
Ok, @justinas I understood. What I mean is: Do I really need all the cookies for each Path? (more cookies more request size). If I use Now everytime nosurf generates a cookie I have just one cookie with Path: "/" and Domain: ".mydomain.com". Every page can use it (in case we want to hypothesize an eventual form rendered on each page). The questions:
I can do this - IMO - because I do not have any subdomain like in your example:
|
Having just one cookie with a path and domain like that is absolutely fine and in fact it is the default behavior even if you do not set Path & Domain explicitly. |
Ok. And thanks. Just one note:
It is not. If I don't use explicitely this code: |
If you don’t set Path, it is set to the _current_ path that the cookie was
issued at.
Cookies are then sent for that Path as long as the path prefix matches. A
cookie issued for “/admin” will be sent for “/admin/dashboard”,
“/admin/audit-log”, etc.
It will not be sent for “/login” or “/forms/about”.
Thus, you end up with N many cookies for distinct top-level routes.
Short answer: set the Path to “/“, it is not less secure. The token is no
less guessable than before.
…On Fri, Jan 11, 2019 at 4:38 AM frederikhors ***@***.***> wrote:
Ok. And thanks.
Just one note:
it is the default behavior even if you do not set Path & Domain explicitly.
*It is not.*
If I don't use explicitely this code: surfing.SetBaseCookie(http.Cookie{Path:
"/"}) I have many cookies with many different paths with those routes in
the first post of this thread.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#53 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABIcKHNaKye7WFilB9zwDs6GfwGepdJks5vCIXGgaJpZM4Z6joA>
.
|
@elithrar ok. So I can remove the constant Thanks. |
I think you want to *keep* it, so that the cookie is valid across all
paths.
…On Fri, Jan 11, 2019 at 11:43 AM frederikhors ***@***.***> wrote:
@elithrar <https://github.com/elithrar> ok. So I can remove the constant Path:
"/" in code.
Thanks.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#53 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABIcIAFz9e-H4hgWYl7fWqeQ5GGRlYyks5vCOl2gaJpZM4Z6joA>
.
|
@elithrar I'm trying but there is a problem in what you said. See this: And in each network call I have both "X-CSRF-Token", see here:
I changed my mind because you said the cookie is just sent with the accurate path, but as you can see in screens this doesn't work. Maybe for the localhost? And as you can see there is also a strange thing: in network call cookies there are both "X-CSRF-Token" without path: just a "N/A", neither the HTTP-Only check. Why? |
Show more of your Go code - do you have one instance of nosurf? More than
one?
…On Fri, Jan 11, 2019 at 12:07 PM frederikhors ***@***.***> wrote:
@elithrar <https://github.com/elithrar> I'm trying but there is a problem
in what you said.
See this:
[image: image]
<https://user-images.githubusercontent.com/41120635/51056888-525c0580-15e4-11e9-8d55-a4179a734dcc.png>
And in each network call I have both "X-CSRF-Token", see here:
[image: image]
<https://user-images.githubusercontent.com/41120635/51056929-76b7e200-15e4-11e9-9eae-f9a97a2f0b9f.png>
I think you want to *keep* it, so that the cookie is valid across all
paths.
I changed my mind because you said the cookie is just sent with the
accurate path, but as you can see in screens this doesn't work. Maybe for
the localhost?
And as you can see there is also a strange thing: in network call cookies
there are both "X-CSRF-Token" without path: just a "N/A", neither the
HTTP-Only check. Why?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#53 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABIcCPUoloF_yI4lCUbiMFmeIwBrhTkks5vCO7kgaJpZM4Z6joA>
.
|
Are these AJAX requests? Where is X-CSRF-Token coming from? I don't see you setting a cookie with that name here at all. Is your AJAX middleware sending the right thing? |
That cookie comes from |
@elithrar That cookie comes from |
Issue opened for the creation of a wiki page that summarizes the doubts and problems for newbies (#52).
Writing #52 I had a doubt:
I need to use
surfing.SetBaseCookie(http.Cookie{Path: "/"})
?I don't know if many csrf cookies makes sense if I have these routes:
Why nosurf keep creating cookies for these routes? I think I just need one cookie on the Path: "/" and Domain: ".mysite.com".
Where am I wrong?
The text was updated successfully, but these errors were encountered: