-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 [Bug]: Csrf with Session store does not support secure cookie middleware #2743
Comments
@rngallen Here's a working example. Be aware that middleware order matters. Also, if you use Replace the key in the example with your secret key: package main
import (
"fmt"
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/csrf"
"github.com/gofiber/fiber/v2/middleware/encryptcookie"
"github.com/gofiber/fiber/v2/middleware/session"
)
func main() {
app := fiber.New()
// Example: Encryptcookie middleware
app.Use(encryptcookie.New(encryptcookie.Config{
Key: "t+A2pNQ+GM117Uj7AhaHq/BwjWzZwBT9crgOSY6eWjA=",
}))
sessionStore := session.New(session.Config{})
// Example: CSRF middleware
app.Use(csrf.New(csrf.Config{
KeyLookup: "form:csrfToken",
Session: sessionStore,
ContextKey: "csrfToken",
}))
// Route handler
app.Get("/", func(c *fiber.Ctx) error {
// html page with a form that posts to /test
// inline javascript that reads the csrf token from the cookie and adds it to the form
csrfToken := c.Locals("csrfToken")
page := `
<html>
<body>
<form action="/" method="POST">
<input type="text" name="test" />
<input type="submit" value="Submit" />
<input type="hidden" name="csrfToken" value="` + csrfToken.(string) + `" />
</form>
</body>
</html>
`
c.Type("html")
return c.SendString(page)
})
app.Post("/", func(c *fiber.Ctx) error {
csrfToken := c.Locals("csrfToken")
page := `
<html>
<body>
<p>You submitted: ` + c.FormValue("test") + `</p>
<form action="/" method="POST">
<input type="text" name="test" />
<input type="submit" value="Submit" />
<input type="hidden" name="csrfToken" value="` + csrfToken.(string) + `" />
</form>
</body>
</html>
`
c.Type("html")
return c.SendString(page)
})
// Listen on port 3000
err := app.Listen(":3000")
if err != nil {
fmt.Println("Error:", err)
}
} |
@rngallen by default, the app.Use(encryptcookie.New(encryptcookie.Config{
Key: "t+A2pNQ+GM117Uj7AhaHq/BwjWzZwBT9crgOSY6eWjA=",
Except: []string{
},
})) |
Thanks but after working around I have discovered the followings
func AuthMiddleware(c *fiber.Ctx) error {
sess, err := Store.Get(c)
if err != nil {
return c.Status(fiber.StatusUnauthorized).JSON(response.UnAuthorized(""))
}
if sess.Get(AUTH_KEY) == nil {
return c.Status(fiber.StatusUnauthorized).JSON(response.UnAuthorized(""))
}
// Add user to the next handle
c.Locals("userUid", sess.Get(USER_UID))
c.Locals("superUser", sess.Get(SUPER_USER))
c.Locals("sub", sess.Get(SUB))
// Update user session expiration time
// Uncomment this to enable coockie to be updated on each request
// if err := sess.Save(); err != nil {
// return err
// }
return c.Next()
} session was keep updating on every request. And because am using js(next js) on frontend I have to save this cookie(s) on every request, i think it's not a proper way. On top of that session max-age/expires keep extended on each request. Is it the best practice to keep updating session on each request? |
Let's address each point:
The Synchronizer Token Patters is the recommended method if practical, as the double submit cookie pattern has known weaknesses. However when combined with other techniques it is likely sufficient for most use-cases. I recommend reading both OWASP's defense-in-depth-techniques, our own CSRF#Defense-In-Depth, as well as Googling "is csrf dead" for more about Cookie SameSite and cookie prefixes. Finally, it should go without saying. But, please use HTTPS. I hope that helps. |
Bug Description
Store defined as
Csrf Configuration
This works perfect but if i enable secure cookie middleware
csrf always returns forbidden
How to Reproduce
Enable secure cookie middleware when csrf storage uses session store
Expected Behavior
I expect it should also work when secure cookie middleware is in use
Fiber Version
2.51.0
Code Snippet (optional)
Checklist:
The text was updated successfully, but these errors were encountered: