Skip to content

RegenerateToken generates two CSRF cookies when no previous CSRF cookie was set #61

New issue
New issue
Open
Open
RegenerateToken generates two CSRF cookies when no previous CSRF cookie was set#61
@aeneasr

Description

@aeneasr
aeneasr
opened on Oct 14, 2020

Calling RegenerateToken() in a request context where the client is not sending a CSRF cookie, two CSRF cookies will be generated:

map[Set-Cookie:[csrf_token=aZA5CKCpmzGwlyfyFZp1akOOo4dSbZEdSAziaN+nRYE=; Path=/; Domain=example.com; Max-Age=31536000; HttpOnly; Secure csrf_token=xe/JUh5YavyzQtmIqU018swoHmPN5nQsTSqSJscKJU4=; Path=/; Domain=example.com; Max-Age=31536000; HttpOnly; Secure] Vary:[Cookie]]

Depending on the order of the browser stores the cookie, this can lead to false-positive CSRF detection.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions