New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
馃悰 Request Header Fields Too Large when running CSRF and encrypt cookie middleware #1631
Comments
Thanks for opening your first issue here! 馃帀 Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord |
I can reproduce this on the latest fiber release. If you run the above code and keep refreshing, the |
For time being, changing the order of registering middlewares seems to be avoiding the issue. package main
import (
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/csrf"
"github.com/gofiber/fiber/v2/middleware/encryptcookie"
)
func main() {
app := fiber.New()
// cookie value generated by running `cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
app.Use(encryptcookie.New(encryptcookie.Config{
Key: "VWY9XBVap74Zpd0ckbT1reTl0NM6pz7R"}))
app.Use(csrf.New())
app.Get("/", func(c *fiber.Ctx) error {
return c.SendString("Hello, World!")
})
app.Listen(":3000")
} |
To what @vinay03 mentioned, I would like to add that technically, the encryptcookie middleware already supports skipping cookies by name via the Except field at config time. So for csrf, one could just skip it, since it has its own generation ops (assuming below that the codebase keeps the default csrf cookie name as csrf_ )
With that added, you can use csrf independently positioned |
Thanks @silviucm I'll close the issue, as it not an issue anymore but a small bug. |
@ReneWerner87 |
Fiber version 2
Issue description
When running following script in a browser you will notice that the cookie value is growing by continuous encrypting the value. The browser will respond with
Request Header Fields Too Large
when cookie is too big.Code snippet
The text was updated successfully, but these errors were encountered: