Comments (7)
Hi @DanielVip3 sorry you are having issues. Based on your description, especially with all other devices working, it does really sound like perhaps an issue with that device, either it has some setting on it preventing it from working or that that web browser is not compatible and perhaps we need to change something in this module to support it. Unfortunately without even access to that device / web browser combination myself, I'm not sure how such I can actually do to diagnose what the underlying issue is.
from csurf.
@dougwilson so uhm, would there a way to examine myself the thing, asking the user what to do?
What should I specifically examine?
Thanks.
from csurf.
What is the configuration you have for this module (the arguments provided to csurf()
)?
from csurf.
For now, I pass only
csurf({ cookie: true });
, nothing else.
I removed the custom value function, which I only used to test.
Could it depend to the secret key I pass to cookie-parser and express-session?
from csurf.
Cool. So the basic validation for that particular set up is just to check if the page that loads with the HTML form you put above should contain a Set-Cookie
response header with a _csrf
cookie. Then check if that web browser does indeed have that _csrf
cookie stored in the cookie storage for it with the same value in the header. Then check that, when the form is submitted, that the web browser sends a Cookie
header with the request and one of the values in that header is _csrf=
and after the equals is the same value that was in Set-Cookie
from before.
from csurf.
Uhm okay, so I should indeed test cookies. I'm gonna see and let you know soon.
from csurf.
Sorry, that was an issue with this tester who had cookies disabled without us noticing.
Thanks for your help to identify the issue, and sorry for the useless issue and any disturb.
I'm gonna close this issue.
from csurf.
Related Issues (20)
- Feature add 'Encrypted Token Pattern' HOT 3
- Add credentials warning to documentation HOT 7
- A way of getting csrfToken through POST request HOT 3
- Cannot validate CSRF token using the example code HOT 4
- Can docs clarify how cookie mode works? HOT 3
- please document the `signed` config option HOT 4
- Disable CSRF checking during tests HOT 1
- previous token still valid HOT 1
- Token Lifetime HOT 2
- Need docs and examples for working with single page application. HOT 3
- BREACH attack mitigation HOT 2
- No regeneration of secret when a valid token is submitted HOT 2
- A cookie secret is not really secret HOT 1
- Upgrade to [email protected] for SameSite=None support HOT 1
- Best practice for the csrf token and secret (signed? httponly?) HOT 1
- New token secret with every request HOT 3
- Update docs to address situations with mixed protection approaches HOT 1
- How I can validate csrf token one time with only a request
- Failed on validation when using with 2 backends
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csurf.