Token is stored in session cookie

[ivanol]

I just tried adding goji/csrf as middleware to an app and everything continued to work as normal even before adding csrf fields to the forms. It seems the token is stored in a session cookie automatically, and this is used for authentication. How does this prevent a csrf attack - won't any browser with an active session succeed with POST requests even if they are malicious?

[elithrar]

Just to clarify: you added the middleware before adding any of the form
helpers? Can you show your code?

Beyond that, the use of a session cookie is the double-submit cookie method:
you submit a cookie and a token in the request body that have matching (or
derived matching) values. An attacker cannot practically guess the value
of the token in your cookie.
On Wed, Feb 10, 2016 at 6:28 AM Ivanol notifications@github.com wrote:

I just tried adding goji/csrf as middleware to an app and everything
continued to work as normal even before adding csrf fields to the forms. It
seems the token is stored in a session cookie automatically, and this is
used for authentication. How does this prevent a csrf attack - won't any
browser with an active session succeed with POST requests even if they are
malicious?

—
Reply to this email directly or view it on GitHub
#7.

[ivanol]

Ok. Here is some code.

package main

import (
    "fmt"
    "net/http"

    "github.com/goji/csrf"
    "github.com/zenazn/goji"
    "github.com/zenazn/goji/web"
)

type formGetHandler struct {
}

type formPostHandler struct {
}

// Handle GET /
func (h *formGetHandler) ServeHTTPC(c web.C, w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, `
<h1>Test Form</h1>
<form action="/widgets" method="post" class="form-inline">
  <input name="testField" type="text"></input>
  <input name="commit" type="submit" value="Save">
</form>
`)
    return
}

// Handle POST /widgets
func (h *formPostHandler) ServeHTTPC(c web.C, w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "Form submitted successfully")
}

func main() {
    goji.Use(csrf.Protect([]byte("32-byte-long-auth-key")))

    goji.Get("/", &formGetHandler{})
    goji.Post("/widgets", &formPostHandler{})
    goji.Serve()
}

This form submits successfully for me even though it doesn't contain a CSRF token. The csrf code is being loaded, and seems to be pulling the token out of a cookie on form submit.

[elithrar]

I definitely can't replicate that @ivanol:

The token in the cookie is inspected when the request is NOT a GET/HEAD/OPTIONS, but is explicitly compared to the token in the form body (or header). If the token is not passed in the form body or header you should get a HTTP 403 (as per the GIF).

[ivanol]

Have emailed you directly - let me know if you don't receive. Thanks.

[elithrar]

Ref: #8 - have also replied. Thanks!