Giter Site home page Giter Site logo

Comments (11)

dougwilson avatar dougwilson commented on March 29, 2024

Yes, I'll get some docs up as soon as I can (still on a holiday where I am). For now, you can always look at our tests for the cookie csrf here: https://github.com/expressjs/csurf/blob/master/test/test.js#L83-L138

In general, it works exactly the same as the non-cookie one, just instead of storing the secret in your req.session, it stores it in a cookie. You will need to include the token with your forms when you POST, just like the non-cookie one (which in the end is still a cookie, since it requires a session cookie).

/cc @Fishrock123

from csurf.

dougwilson avatar dougwilson commented on March 29, 2024

In fact, if you look at https://github.com/expressjs/csurf#simple-express-example and change app.use(csrf()) to app.use(csrf({ cookie: true })), then it works just fine.

from csurf.

Fishrock123 avatar Fishrock123 commented on March 29, 2024

Hmm, will look into it; I don't really understand csrf very well.

from csurf.

dougwilson avatar dougwilson commented on March 29, 2024

@Fishrock123 I cc'd you mainly for updating the Readme if you had time before I return :) I believe just doing the above modification to the existing example should work, though if you wanted to verify, that would be neat as well :)

from csurf.

ludohenin avatar ludohenin commented on March 29, 2024

It actually does not work for me and I really don't understand why.
I'm using it in connection to an Angular App, when I follow step by step, the XSRF header is correctly set by Angular, csurf read in the right cookie, both value are same but I get Invalid Session error. Digging a bit into the verify function there is tokenization at some point and that is where it fails.
Any idea where/what I'm doing wrong ?

from csurf.

dougwilson avatar dougwilson commented on March 29, 2024

@ludohenin Unfortunately I have no idea how Angular works and I can't particularly answer it well unless you have an app I can run that doesn't work so i can take a look.

I was able to try out the code we have in our README (which doesn't even involve Angular) and it works just fine, even with the cookie setting.

from csurf.

ludohenin avatar ludohenin commented on March 29, 2024

I think in the end it has nothing to do with Angular. What I don't understand is why even though I have the same value set in the X-XSRF-TOKEN request header as in the XSRF-TOKEN cookie I get invalid session. Which is guess normal as Angular gets the token form the cookie.

my middlewares for references:

var app = express();
app.use(errorhandler());
app.use(setLogger());
app.use(cookieParser());
app.use(session(config.session));
app.use(bodyParser.json());
app.use(csrf(config.csrf));
app.use(csrfErrorHandler);

from csurf.

jkrems avatar jkrems commented on March 29, 2024

Something that might be worth noting in the README: cookie: true does not set the cookie path, which may lead to unexpected behavior in some environments. It's also not httpOnly by default (if I read the source correctly). So the "default" way might be something closer to cookie: { path: '/', httpOnly: true }.

from csurf.

dougwilson avatar dougwilson commented on March 29, 2024

Something that might be worth noting in the README: cookie: true does not set the cookie path, which may lead to unexpected behavior in some environments

Yes. This will be address as part of #41

from csurf.

jkrems avatar jkrems commented on March 29, 2024

Ah, sorry. Forgot the check the PRs as well.

from csurf.

dougwilson avatar dougwilson commented on March 29, 2024

@deian I got around looking into it, and I believe if you cannot get it to work and you're getting an error, it's because you may have missed the note in the README that you need to use the cookie-parser library as well. Here is a complete example that works:

var cookieParser = require('cookie-parser')
var csrf         = require('csurf')
var express      = require('express')

var app = express()

// setup cookie parser
app.use(cookieParser())

// setup CSRF for all routes
app.use(csrf({cookie: true}))

// error handler
app.use(function (err, req, res, next) {
  if (err.code !== 'EBADCSRFTOKEN') return next(err)

  // handle CSRF token errors here
  res.status(403)
  res.send('session has expired or form tampered with')
})

app.get('/', function(req, res) {
  var csrfToken = req.csrfToken()

  res.send('<form method="post" action="?_csrf=' + csrfToken + '"><button type="submit">Submit</button><form>')
})

app.listen(3000)

from csurf.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.