Skip to content
This repository has been archived by the owner on Sep 10, 2024. It is now read-only.

CSRF token cookie could be improved #2877

Open
reivilibre opened this issue Jun 27, 2024 · 1 comment
Open

CSRF token cookie could be improved #2877

reivilibre opened this issue Jun 27, 2024 · 1 comment

Comments

@reivilibre
Copy link
Contributor

I was just looking at the code for the CSRF token cookie and suspect it could be improved.

matrix-authentication-service/crates/axum-utils/src/csrf.rs

Line 134 in 7c67630

impl CsrfExt for CookieJar {

  • cookie name should start with __Host- to prevent, in modern browsers that support this, some classes of cookie fixation attacks.
  • making it HTTP-only and 'Secure' seems good as defence in depth

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

I think localhost is considered 'Secure' so this shouldn't affect local development much, but there is a minor possibility this would need to be configurable.
@matrixbot matrixbot mentioned this issue Sep 10, 2024
Open
@matrixbot
Copy link
Member

For your information, this issue has been copied over to the Element fork of matrix-authentication-service: element-hq/matrix-authentication-service#2877

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matrixbot @reivilibre