Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[app.ini] Enable customise CSRF cookie name for "Invalid csrf token" #4172

Closed
yyxx9988 opened this issue Feb 22, 2017 · 12 comments
Closed

[app.ini] Enable customise CSRF cookie name for "Invalid csrf token" #4172

yyxx9988 opened this issue Feb 22, 2017 · 12 comments
Labels
🔨 enhancement Make it better, faster status: needs feedback Tell me more about it
Milestone
0.11

Comments

@yyxx9988
Copy link

yyxx9988 commented Feb 22, 2017
edited

There is a case of Invalid csrf token error:

domain: example.com
sub-domain1: normal.example.com => set cookie _csrf and cookie domain is *.example.com
sub-domain2: gogs.example.com => set cookie _csrf and cookie domain is gogs.example.com

If a user just use gogs.example.com, everything is fine;
If another user redirect to gogs.example.com from normal.example.com, he got "Invalid csrf token" because CSRF cookie is mixed.
@unknwon
Copy link
Member

unknwon commented Feb 22, 2017

Why would you allow user uses different domains to connect your Gogs? I think CSRF did the exactly the right thing.

@unknwon unknwon added the status: needs feedback Tell me more about it label Feb 22, 2017
@yyxx9988
Copy link
Author

Thanks.

It is by design -- share cookies between different sub-domains to keep user status(login、logout、post、comments...)

There are more sub-domains like a.example.com b.example.com c.example.com gogs.example.com...

But the _csrf from gogs.example.com is conflict with the _csrf from global shared cookies

@unknwon
Copy link
Member

unknwon commented Feb 23, 2017

Thanks for the info, but I still don't see your answer to my question?

@yyxx9988
Copy link
Author

Sorry about that. But the truth is I didn't allow it. Gogs still uses its own reg system to login/logout.

@unknwon
Copy link
Member

unknwon commented Feb 23, 2017

Shouldn't you only allow one specific domain for users to login/access Gogs?

@yyxx9988
Copy link
Author

a.example.com b.example.com c.example.com use account.example.com/user/login to login/access

gogs.example.com uses gogs.example.com/user/login to login/access

they are separated

@unknwon
Copy link
Member

unknwon commented Feb 23, 2017
edited

If another user redirect to gogs.example.com from normal.example.com, he got "Invalid csrf token" because CSRF cookie is mixed.

OK, then what does this mean? I'm confused.

@unknwon
Copy link
Member

unknwon commented Feb 23, 2017
edited

I might see what you mean.

So normal.example.com is also using _csrf cookie name which is same as Gogs?

@yyxx9988
Copy link
Author

image

@yyxx9988
Copy link
Author

I might see what you mean.
So normal.exampl.ecom is also using _csrf cookie name which is same as Gogs?

Yes, exactly!

@unknwon unknwon added the 🔨 enhancement Make it better, faster label Feb 23, 2017
@unknwon unknwon added this to the 0.11.0 milestone Feb 23, 2017
@unknwon
Copy link
Member

unknwon commented Feb 23, 2017
edited

Patch (054e97d) has pushed to fix this issue, please test on develop branch.

Add new config option '[session] CSRF_COOKIE_NAME'.

@yyxx9988
Copy link
Author

Thanks very much!

@unknwon unknwon closed this as completed Feb 25, 2017
Martchus pushed a commit to Martchus/gogs that referenced this issue Aug 27, 2018
@lunny
Add myself as a maintainer (gogs#4172)
c9c5d16
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
🔨 enhancement Make it better, faster status: needs feedback Tell me more about it
Projects
None yet
Milestone
0.11
Development

No branches or pull requests
2 participants
@unknwon @yyxx9988