Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RegenerateToken generates two CSRF cookies when no previous CSRF cookie was set #61

Open
aeneasr opened this issue Oct 14, 2020 · 0 comments
Open

RegenerateToken generates two CSRF cookies when no previous CSRF cookie was set #61

aeneasr opened this issue Oct 14, 2020 · 0 comments

Comments

@aeneasr
Copy link
Contributor

aeneasr commented Oct 14, 2020

Calling RegenerateToken() in a request context where the client is not sending a CSRF cookie, two CSRF cookies will be generated:

map[Set-Cookie:[csrf_token=aZA5CKCpmzGwlyfyFZp1akOOo4dSbZEdSAziaN+nRYE=; Path=/; Domain=example.com; Max-Age=31536000; HttpOnly; Secure csrf_token=xe/JUh5YavyzQtmIqU018swoHmPN5nQsTSqSJscKJU4=; Path=/; Domain=example.com; Max-Age=31536000; HttpOnly; Secure] Vary:[Cookie]]

Depending on the order of the browser stores the cookie, this can lead to false-positive CSRF detection.
aeneasr added a commit to aeneasr/nosurf that referenced this issue Oct 14, 2020
@aeneasr
Add failing test case for double cookie setting
ec1bc1f 
See justinas#61
@aeneasr aeneasr mentioned this issue Oct 14, 2020
Open
aeneasr added a commit to aeneasr/nosurf that referenced this issue Oct 14, 2020
@aeneasr
Prevent multiple Set-Cookie headers when calling RegenerateToken
7ee434d 
Closes justinas#61
aeneasr added a commit to aeneasr/nosurf that referenced this issue Oct 14, 2020
@aeneasr
Prevent multiple Set-Cookie headers when calling RegenerateToken
63db8e2 
Closes justinas#61
aeneasr added a commit to aeneasr/nosurf that referenced this issue Oct 14, 2020
@aeneasr
Prevent multiple Set-Cookie headers when calling RegenerateToken
3dd5c4d 
Closes justinas#61
aeneasr added a commit to aeneasr/nosurf that referenced this issue Oct 14, 2020
@aeneasr
Prevent multiple Set-Cookie headers when calling RegenerateToken
b10b0e9 
Closes justinas#61
aeneasr added a commit to ory/nosurf that referenced this issue Oct 22, 2020
@aeneasr
Add failing test case for double cookie setting
20d597e 
See justinas#61
aeneasr added a commit to ory/nosurf that referenced this issue Oct 22, 2020
@aeneasr
Prevent multiple Set-Cookie headers when calling RegenerateToken
2ba8293 
Closes justinas#61
aeneasr added a commit to ory/nosurf that referenced this issue Oct 22, 2020
@aeneasr
Add failing test case for double cookie setting
a47ef53 
See justinas#61
aeneasr added a commit to ory/nosurf that referenced this issue Oct 22, 2020
@aeneasr
Prevent multiple Set-Cookie headers when calling RegenerateToken
f212597 
Closes justinas#61
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aeneasr