You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, it seems to me in v2 there is no way to explicitly specify CSRF-checking (like in v1 with @CsrfTokenRequired on certain route). It is always tuned on upon @UseSessions with cookie and settings.session.csrf.enabled set to true. Right?
This would lead to something inconvenient: Normally on a log-in page I would not use CSRF because a user there mostly has no session yet. But after login, if user visits that page and try to login again, Foal will throw an error "CSRF token missing or incorrect.". This scenario could happen e.g I have multiple account and want to sign in without signing out another one first.
The login controller code I use is identical as in the docs.
Or am I using Foal incorrectly? Thanks!
The text was updated successfully, but these errors were encountered:
Hi, it seems to me in v2 there is no way to explicitly specify CSRF-checking (like in v1 with @CsrfTokenRequired on certain route). It is always tuned on upon @UseSessions with cookie and settings.session.csrf.enabled set to true. Right?
Correct.
This would lead to something inconvenient: Normally on a log-in page I would not use CSRF because a user there mostly has no session yet. But after login, if user visits that page and try to login again, Foal will throw an error "CSRF token missing or incorrect.". This scenario could happen e.g I have multiple account and want to sign in without signing out another one first.
Could you simply include the CSRF token when it exists? I would recommend this approach to prevent an attacker from forcing you to log into another account with your current session.
However, this is true that a csrf option is missing in UseSessions to override the configuration behavior (like the openapi option). I thought I added it but apparently not. Let's add it in the next release.
LoicPoullain
changed the title
Using CSRF in v2
Add CSRF option in UseSessions to override the configuration
Jan 11, 2021
Hi, it seems to me in v2 there is no way to explicitly specify CSRF-checking (like in v1 with
@CsrfTokenRequired
on certain route). It is always tuned on upon@UseSessions
with cookie andsettings.session.csrf.enabled
set totrue
. Right?This would lead to something inconvenient: Normally on a log-in page I would not use CSRF because a user there mostly has no session yet. But after login, if user visits that page and try to login again, Foal will throw an error "CSRF token missing or incorrect.". This scenario could happen e.g I have multiple account and want to sign in without signing out another one first.
The login controller code I use is identical as in the docs.
Or am I using Foal incorrectly? Thanks!
The text was updated successfully, but these errors were encountered: