Using of semicolon in csrf token? about csrf HOT 9 CLOSED

cookie libs should escape but yeah there's no reason for us to use a semicolon there

from csrf.

the csrf token itself is never sent through cookies. the csrf secret this.session.secret is (though if you use a db store then it won't). that spec is outdated and not a real spec (afaik). the way it works should be fine.

from csrf.

@visionmedia, yes the libs 'should' escape this. But in koa it doesn't do this by default:

https://github.com/jed/cookies/blob/master/lib/cookies.js#L50
https://github.com/jed/cookies/blob/master/lib/cookies.js#L84

right? ;)

@jonathanong , yes your sample doesn't use cookies. but this should be an option. For example Angular.js use this by default:

http://docs.angularjs.org/api/ng.$http#description_security-considerations_cross-site-request-forgery-protection

And here is the real specification:

http://www.w3.org/Protocols/rfc2109/rfc2109 / Set-Cookie Syntax

from csrf.

you can open a PR in jed/cookies

you can't use this library for angular since this library doesn't send a csrf token as a cookie. you could just create another library specifically for angular.

from csrf.

or we could just use something else instead of a semicolon so you could. suggestion?

from csrf.

I think most of the current code will work, also with angular or whatever. One can set the cookie by self like:

this.cookies.set('csrf-token', this.csrf, { expires: expire, httpOnly: false });

So, the only thing is the semicolon. Escaping the semicolon should also work, but this is not optimal.
This one:

http://www.senchalabs.org/connect/csrf.html

doesn't use a semicolon.

from csrf.

hmmm we've been setting JSON sessions with commas and probably whitespace. wonder how that has been working

from csrf.

4cd36fb

from csrf.

Thanks, tested ;)

from csrf.