Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default path can cause unexpected CSRF token rejections #144

Closed
jackc opened this issue Oct 1, 2020 · 4 comments
Closed

Default path can cause unexpected CSRF token rejections #144

jackc opened this issue Oct 1, 2020 · 4 comments
Labels
enhancement

Comments

@jackc
Copy link

jackc commented Oct 1, 2020

The default path for the CSRF cookie is the request path. This can lead to multiple instances of the CSRF cookie.

For example:

GET /foo/bar -> sets cookie with path of /foo/bar
GET /foo -> sets cookie with path of /foo

When a subsequent request is sent that matches both paths the CSRF token can be rejected. I'm not sure if it is sending both cookies or sending the wrong one. But the request is rejected. These errors can be quite confusing to diagnose.

I resolved this in my application by changing the path to /.

Would it be a good idea to change the default path to / or at least to document this potential problem?
@stale
Copy link

stale bot commented Dec 5, 2020

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.

@stale stale bot added the stale label Dec 5, 2020
@greywolve
Copy link

We ran into this recently too. Could we add something to the README which documents this gotcha? (We had to change the path to / as well to fix our issues)

@stale stale bot removed the stale label Dec 9, 2020
@karelbilek
Copy link

@greywolve already made a PR :D

#147

@karelbilek
Copy link

I don't think it's a good idea to make the default path /, as that would be a big backwards compat change and could randomly break something somewhere.

@jackc jackc closed this as completed May 15, 2021
jackc added a commit to jackc/hannibal that referenced this issue Dec 4, 2021
@jackc
CSRF token cookie defaults to path /
de27398 
Avoid CSRF token failures due to multiple cookies being set at different
paths.

gorilla/csrf#144
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jackc @karelbilek @greywolve