Comments (11)
Yes, I'll get some docs up as soon as I can (still on a holiday where I am). For now, you can always look at our tests for the cookie csrf here: https://github.com/expressjs/csurf/blob/master/test/test.js#L83-L138
In general, it works exactly the same as the non-cookie one, just instead of storing the secret in your req.session
, it stores it in a cookie. You will need to include the token with your forms when you POST, just like the non-cookie one (which in the end is still a cookie, since it requires a session cookie).
/cc @Fishrock123
from csurf.
In fact, if you look at https://github.com/expressjs/csurf#simple-express-example and change app.use(csrf())
to app.use(csrf({ cookie: true }))
, then it works just fine.
from csurf.
Hmm, will look into it; I don't really understand csrf very well.
from csurf.
@Fishrock123 I cc'd you mainly for updating the Readme if you had time before I return :) I believe just doing the above modification to the existing example should work, though if you wanted to verify, that would be neat as well :)
from csurf.
It actually does not work for me and I really don't understand why.
I'm using it in connection to an Angular App, when I follow step by step, the XSRF header is correctly set by Angular, csurf read in the right cookie, both value are same but I get Invalid Session error. Digging a bit into the verify function there is tokenization at some point and that is where it fails.
Any idea where/what I'm doing wrong ?
from csurf.
@ludohenin Unfortunately I have no idea how Angular works and I can't particularly answer it well unless you have an app I can run that doesn't work so i can take a look.
I was able to try out the code we have in our README (which doesn't even involve Angular) and it works just fine, even with the cookie setting.
from csurf.
I think in the end it has nothing to do with Angular. What I don't understand is why even though I have the same value set in the X-XSRF-TOKEN request header as in the XSRF-TOKEN cookie I get invalid session. Which is guess normal as Angular gets the token form the cookie.
my middlewares for references:
var app = express();
app.use(errorhandler());
app.use(setLogger());
app.use(cookieParser());
app.use(session(config.session));
app.use(bodyParser.json());
app.use(csrf(config.csrf));
app.use(csrfErrorHandler);
from csurf.
Something that might be worth noting in the README: cookie: true
does not set the cookie path, which may lead to unexpected behavior in some environments. It's also not httpOnly
by default (if I read the source correctly). So the "default" way might be something closer to cookie: { path: '/', httpOnly: true }
.
from csurf.
Something that might be worth noting in the README: cookie: true does not set the cookie path, which may lead to unexpected behavior in some environments
Yes. This will be address as part of #41
from csurf.
Ah, sorry. Forgot the check the PRs as well.
from csurf.
@deian I got around looking into it, and I believe if you cannot get it to work and you're getting an error, it's because you may have missed the note in the README that you need to use the cookie-parser
library as well. Here is a complete example that works:
var cookieParser = require('cookie-parser')
var csrf = require('csurf')
var express = require('express')
var app = express()
// setup cookie parser
app.use(cookieParser())
// setup CSRF for all routes
app.use(csrf({cookie: true}))
// error handler
app.use(function (err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') return next(err)
// handle CSRF token errors here
res.status(403)
res.send('session has expired or form tampered with')
})
app.get('/', function(req, res) {
var csrfToken = req.csrfToken()
res.send('<form method="post" action="?_csrf=' + csrfToken + '"><button type="submit">Submit</button><form>')
})
app.listen(3000)
from csurf.
Related Issues (20)
- Feature add 'Encrypted Token Pattern' HOT 3
- Add credentials warning to documentation HOT 7
- A way of getting csrfToken through POST request HOT 3
- Cannot validate CSRF token using the example code HOT 4
- Can docs clarify how cookie mode works? HOT 3
- please document the `signed` config option HOT 4
- Disable CSRF checking during tests HOT 1
- previous token still valid HOT 1
- Token Lifetime HOT 2
- Need docs and examples for working with single page application. HOT 3
- BREACH attack mitigation HOT 2
- No regeneration of secret when a valid token is submitted HOT 2
- A cookie secret is not really secret HOT 1
- Upgrade to [email protected] for SameSite=None support HOT 1
- Best practice for the csrf token and secret (signed? httponly?) HOT 1
- User's CSRF Token is invalid but doesn't look like so HOT 7
- New token secret with every request HOT 3
- Update docs to address situations with mixed protection approaches HOT 1
- How I can validate csrf token one time with only a request
- Failed on validation when using with 2 backends
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csurf.