Fiber: 馃悰 CSRF cookie is still SameSite=Lax when receiving the config
Fiber version
2.0.4
Issue description
Code snippet
csrf.New() // Strict
csrf.New(csrf.Config{}}) // Lax
csrf.New(csrf.Config{Cookie: &fiber.Cookie{Path: "/"}}) // Lax
falsandtru
All 6 comments
Nice catch @falsandtru, fixed in https://github.com/gofiber/fiber/pull/860
Fenny
on 30 Sep 2020
👍1
Looks like the other defaults such as the name are lost too.
Set-Cookie: 26db76a7-1693-4070-a877-b681f87108ee; expires=Thu, 01 Oct 2020 13:46:51 GMT; path=/; SameSite=Lax
falsandtru
on 30 Sep 2020
Seems to work fine on my end, by any chance you could share your example to reproduce?
Set-Cookie: _csrf=dad426b8-1054-4c14-89f5-1e6ce0159415; expires=Fri, 02 Oct 2020 21:21:37 GMT; path=/; SameSite=Strict
Here is a repro.
// v2.0.4
var app = fiber.New()
app.Use("/signup", csrf.New(csrf.Config{Cookie: &fiber.Cookie{Path: "/signup"}}))
app.Get("/signup", func(c *fiber.Ctx) error {
c.Type("html")
return c.Send([]byte("<h1>Signup</h1>"))
})
app.Listen(":" + env.Port)
Set-Cookie: 9572ced8-1be6-4a53-8c00-12a66cb5bc03; expires=Sat, 03 Oct 2020 01:49:05 GMT; path=/signup; SameSite=Lax
👍2
Could anyone reproduce it?
falsandtru
on 3 Oct 2020
Able to reproduce. This is due to this line in csrf.New:
if cfg.Cookie == nil {
cfg.Cookie = ConfigDefault.Cookie
if cfg.Cookie.Name == "" {
cfg.Cookie.Name = "_csrf"
}
if cfg.Cookie.SameSite == "" {
cfg.Cookie.SameSite = "Strict"
}
}
If you did pass a cookie, it expects all fields to be there since cfg.Cookie == nil will evaluate to true. I'll make a PR.
hi019
on 3 Oct 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings
Related issues
Badrouu17
路
4Comments
renatojf
路
3Comments
lucasmdomingues
路
3Comments
mhf-ir
路
3Comments
faultable
路
3Comments
Most helpful comment
Here is a repro.