Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🤗 why it's not possible to set cookie for CSRF middleware expire date to session? #1610

Closed
Makemanback opened this issue Nov 1, 2021 · 4 comments · Fixed by #1752
Closed

🤗 why it's not possible to set cookie for CSRF middleware expire date to session? #1610

Makemanback opened this issue Nov 1, 2021 · 4 comments · Fixed by #1752
Assignees
@abhi12299
Labels
👍 Accepting PR 🤔 Question

Comments

@Makemanback
Copy link

Makemanback commented Nov 1, 2021
edited
Loading

Hello. Why in https://docs.gofiber.io/api/middleware/csrf middleware impossible to set session cookie? In secure context from XXS/CSRF attacks session cookies are more secure.

Or is it possible to set cookies as session in this middleware?

If I set Expiration as 0, Expiration field goes to header, but if I want to make cookies as session I should not set headers Max-Age and Expires.

Session cookie - https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie
@welcome
Copy link

welcome bot commented Nov 1, 2021

Thanks for opening your first issue here! 🎉 Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

@Makemanback Makemanback changed the title 🤗 why it's not possible to set XXS/CSRF cookie 🤗 why it's not possible to set cookie for CSRF middleware expire date to session? Nov 1, 2021
@ReneWerner87
Copy link
Member

https://github.com/gofiber/fiber/blob/master/middleware/csrf/csrf.go#L73
@Makemanback
yes i see that should be added if necessary, not a bad idea, if we can make the configuration understandable for this setting, then happy to do so

pull requests are welcome

@abhi12299
Copy link
Contributor

@ReneWerner87 we could have a field named SessionOnly or something similar which if true will ignore max age and expires header. How does that sound? I could work on this.

@ReneWerner87
Copy link
Member

Sounds okay.

@abhi12299 abhi12299 mentioned this issue Feb 6, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abhi12299 abhi12299

Labels
👍 Accepting PR 🤔 Question
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feature: Session Only Cookies abhi12299/fiber
3 participants
@ReneWerner87 @abhi12299 @Makemanback