We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
When using the csrf middleware without changing the cookie name the cookie value is in plain text.
When you change the cookie name the value becomes encrypted.
see code below...
I expect to see it encrypted no matter what since I am using encryptcookie middleware.
encryptcookie
Everything still works just very odd behavior.
Fiber v2.38.1
package main import ( "github.com/gofiber/fiber/v2" "github.com/gofiber/fiber/v2/middleware/csrf" "github.com/gofiber/fiber/v2/middleware/encryptcookie" ) func main() { app := fiber.New() app.Use(encryptcookie.New(encryptcookie.Config{ Key: "blah blah", })) app.Use(csrf.New(csrf.Config{ KeyLookup: "form:pid", CookieName: "csrf_1", // set encrypts - unset plain text CookieHTTPOnly: true, })) app.Listen(":8081") }
The text was updated successfully, but these errors were encountered:
we skip some of the cookies in the encryption https://github.com/gofiber/fiber/blob/master/middleware/encryptcookie/config.go#L37 otherwise it is hard to know if the cookie value in the crsf middleware is encrypted or not
implemented in bff8843 @amir9480 can you help here with some explaintions
Sorry, something went wrong.
@mybigman Encrypting the csrf cookie value can cause issues for your app. You should add your csrf key (csrf_1) in encryptcookie Except configuration.
Except
app.Use(encryptcookie.New(encryptcookie.Config{ Key: "blah blah", Except: []string{"csrf_1"}, }))
Please check #1631.
Successfully merging a pull request may close this issue.
Bug Description
When using the csrf middleware without changing the cookie name the cookie value is in plain text.
When you change the cookie name the value becomes encrypted.
How to Reproduce
see code below...
Expected Behavior
I expect to see it encrypted no matter what since I am using
encryptcookie
middleware.Everything still works just very odd behavior.
Fiber Version
Fiber v2.38.1
Code Snippet (optional)
Checklist:
The text was updated successfully, but these errors were encountered: