Resolve base64 cookie truncation race condition. #30

merged 2 commits into from Jul 17, 2012


None yet

2 participants


Patch base64 encoding to strip padding, and remove non-url safe characters to prevent value from being stripped/truncated in cookie (stripped =, truncated / as separator).

Problematic because initial cookie value causes requests to fail when matching body and head, but on subsequent requests, truncated value becomes cookie value used in both body and head when performing CSRF request verification.

@reiddraper reiddraper was assigned Jul 17, 2012

+1 to merge

@cmeiklejohn cmeiklejohn merged commit 6a1161c into 1.2 Jul 17, 2012
@seancribbs seancribbs deleted the csm_resolve_base64_cookie_issues branch Apr 1, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment