eggjs / egg

🥚 Born to build better enterprise frameworks and apps with Node.js & Koa
https://eggjs.org
MIT License
18.9k stars 1.82k forks source link

egg-security-csrf support config cookie secure #3517

Closed daifee closed 5 years ago

daifee commented 5 years ago

Background

I found a bug when meet the following conditions:

Reproduce the bug:

  1. user visits HTTPS page.
    • web server response the cookie set-cookie: csrf_token=val; secure.
    • Chrome set cookie.
  2. user visits new page(HTTP) in the same session.
    • browser does not send the cookie(expected).
    • web server response new cookie set-cookie: csrf_token=val;(expected).
    • Chrome can not overwrite the cookie csrf_token(not my expected, but it is Specification)

Proposal

support config cookie secure

const cookieOpts = {
  domain: cookieDomain && cookieDomain(this),
  signed: false,
  httpOnly: false,
  overwrite: true,
  secure: this.app.config.security.csrf.cookieSecure
};
this.cookies.set(cookieName, secret, cookieOpts);

Additional context

Koa auto detects cookie secure

popomore commented 5 years ago

According to the issue you referred to koa, the proposal is rejected. Maybe you can redirect 80 to 443, and always use https.

daifee commented 5 years ago

I think expose the config is better. Koa can be configured, but egg-security hides it.