Open ptman opened 4 years ago
I'm not a security expert, but I don't think this if is not necessary...
https://github.com/revel/modules/blob/master/csrf/app/csrf.go#L81
I got the same issue on my site. Access from Google-search directly to the login-form page, Invalid CSRF error has occurred since c.ViewArgs["_csrftoken"] was empty.
@entereal Yes you will get an invalid token if the page is loaded directly from another domain. Your login link should do a redirect to a CSRF page. like
Main Page -> Link to Login
Login Page -> Redirect to secure CSRF login page
Secure Login
The URLs could be
yourdomain.com/ -> yourdomain.com/login (returns https://revel.github.io/manual/results.html#Redirect) -> yourdomain.com/login/secure
In google will only cache the link yourdomain.com/login
and that can safely redirect to `yourdomain.com/login/secure.
In case someone does try to directly load yourdomain.com/login/secure
you can add a filter to check the referer and if the referer wasn't yourdomain.com/login
then redirect the response to that page first
GET method is in allowedMethods, so it should never result in a CSRF failure, right?
But this can happen if you come from a link or redirect from another origin as ViewArgs is only populated in the end of the filter if certain conditions are met.
Both https://github.com/justinas/nosurf and https://github.com/cbonello/revel-csrf handle this differently, either populating ViewArgs early or short-circuiting allowedMethods.