New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[app.ini] Enable customise CSRF cookie name for "Invalid csrf token" #4172
Comments
Why would you allow user uses different domains to connect your Gogs? I think CSRF did the exactly the right thing. |
Thanks. It is by design -- share cookies between different sub-domains to keep user status(login、logout、post、comments...) There are more sub-domains like But the |
Thanks for the info, but I still don't see your answer to my question? |
Sorry about that. But the truth is I didn't allow it. Gogs still uses its own reg system to login/logout. |
Shouldn't you only allow one specific domain for users to login/access Gogs? |
they are separated |
OK, then what does this mean? I'm confused. |
I might see what you mean. So |
Yes, exactly! |
Patch (054e97d) has pushed to fix this issue, please test on Add new config option '[session] CSRF_COOKIE_NAME'. |
Thanks very much! |
There is a case of
Invalid csrf token
error:domain:
example.com
sub-domain1:
normal.example.com
=> set cookie_csrf
and cookie domain is*.example.com
sub-domain2:
gogs.example.com
=> set cookie_csrf
and cookie domain isgogs.example.com
If a user just use
gogs.example.com
, everything is fine;If another user redirect to
gogs.example.com
fromnormal.example.com
, he got "Invalid csrf token" because CSRF cookie is mixed.The text was updated successfully, but these errors were encountered: