gorilla-csrf sometimes sets two cookies, breaking CSRF validation #73
Labels
Comments
|
Do you have copies of those cookies?
What is similar or shared about them? (Domain?, Path?)
Are production clients being issued cookies from test deployments?
There’s not quite enough to go on here, and key rotation would just mask
the issue, given that I assume you don’t intend to share keys between
testing and prod?
…On Mon, Oct 9, 2017 at 11:39 PM Andreas Fuchs ***@***.***> wrote:
Twice now in production, we've run into a problem where people end up with
two CSRF cookies, which randomly breaks validation of those cookies. I
haven't been able to reproduce this in any lab setting, but I think this
may be related to key rotation (e.g. #65
<#65>), as those were test
deployments that had a different CSRF key set.
Would it be possible for the error response emitted from a CSRF validation
failure to cause any invalid cookie to be deleted?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#73>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABIcKRqbtAz-uyV8BsQLoMk07QgzTYSks5sqqCtgaJpZM4PzJU->
.
|
|
Closing due to inactivity, but please re-open if you can share a reproduction @asf-stripe |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Twice now in production, we've run into a problem where people end up with two CSRF cookies, which randomly breaks validation of those cookies. I haven't been able to reproduce this in any lab setting, but I think this may be related to key rotation (e.g. #65), as those were test deployments that had a different CSRF key set.
Would it be possible for the error response emitted from a CSRF validation failure to cause any invalid cookie to be deleted?
The text was updated successfully, but these errors were encountered: