问题
I have couple of questions related to firebase __session cookie and csurf cookies.
- From this article Manage Cache. Got to know,
- That cookies are generally stripped from incoming requests.
- Only the specially-named __session cookie is permitted to pass through to the execution of your app.
My question is, when in the cookies there is no __session object and i enter email and password and click submit which triggers the route /sessionLogin, it reads all the cookie objects like below.
req.cookies= { _ga: 'GA1.1.1210804660.1609849157',
> _csrf: 'ZtTLMXbMFtY5AnUBmgbdKxAo',
> 'XSRF-TOKEN': 'lpEhRdtT-w0U8UafX_6U6TyaVWNosW2WNJ5o',
> _ga_6ZQNJN9DQC: 'GS1.1.1609849156.1.1.1609854307.0' }
> req.headers= { 'x-forwarded-host': 'localhost:5000',
> 'x-original-url': '/sessionLogin',
> pragma: 'no-cache',
> 'cache-control': 'no-cache, no-store',
> host: 'localhost:5001',
> connection: 'keep-alive',
> 'content-length': '930',
> 'sec-ch-ua':
> '"Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87"',
> accept: 'application/json',
But when there is __session cookie and i go to /login and enter email and password as above and click submit which triggers the route /sessionLogin, i get a EBADCSRFTOKEN invalid csrf token for POST /sessionLogin and while rewriting /login and when displaying req.cookies it just displays only __session object even though other cookie objects are there like XSRF-TOKEN, _csrf, _ga_6ZQNJN9DQC, etc..,
i functions: Beginning execution of "app"
> EBADCSRFTOKEN invalid csrf token
i hosting: 127.0.0.1 - - [05/Jan/2021:14:11:46 +0000] "POST /sessionLogin HTTP/1.1" 403 42 "http://localhost:5000/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
i functions: Finished "app" in ~1s
[hosting] Rewriting /login to http://localhost:5001/api-project-333122123186/us-central1/app for local Function app
i functions: Beginning execution of "app"
> In (*), XSRF_TOKEN=zillJz7h-5cx2xol2P088AezU1XPxvmZOhOg
> req.cookies= { __session:
> 'eyJhbGciOiJSUzI1NiIsImtpZCI6InRCME0yQSJ9.eyJpc3MiOiJodHRwczovL3Nlc3Npb24uZmlyZWJhc2UuZ29vZ2xlLmNvbS9hcGktcHJvamVjdC0zMzMxMjIxMjMxODYiLCJhdWQiOiJhcGktcHJvamV
And if i just delete the __session object and retry, it works normal. Is that how its designed ?
So during a proper signout i have to res.clearCookie('__session'); and when going directly to route /login i will have to do res.clearCookie('__session');
- In the owasp link, its said
"CSRF tokens should not be transmitted using cookies."
but i see in the firebase examples in link csurfToken is being passed as cookies.
Is that okay ? or article is outdated and csurfToken needs to be passed in hidden fields and headers.
Below is my code
const csrfMiddleware = csrf({ cookie: true });
app.use(csrfMiddleware);
app.use(function (err, req, res, next) {
console.log(err.code, err.message);
if (err.code !== 'EBADCSRFTOKEN') return next(err);
// handle CSRF token errors here
res.status(403).send({message:"CSURF code has been tampered"});
});
/** Routes
**********************************************************/
//This executes first and set the cookie to XSRF-TOKEN
app.all("*", (req, res, next) => {
const XSRF_TOKEN = req.csrfToken();
console.log(`In (*), XSRF_TOKEN=${XSRF_TOKEN}`);
res.cookie("XSRF-TOKEN", XSRF_TOKEN);
next();
});
//Login Setup and Check
app.post("/sessionLogin", (req, res) => {
const idToken = req.body.idToken.toString();
console.log("idToken=",idToken);
console.log("req.cookies=",req.cookies);
console.log("req.headers=",req.headers);
const expiresIn = 60 * 60 * 24 * 5 * 1000;
admin.auth().createSessionCookie(idToken, { expiresIn }).then( (sessionCookie) => {
console.log(`In ${req.path} : And in createSessionCookie()` );
const options = { maxAge: expiresIn, httpOnly: true };
res.cookie("__session", sessionCookie, options);
res.end(JSON.stringify({ status: "success" }));
}, (error) => {
res.status(401).send("UNAUTHORIZED REQUEST!");
}
);
});
app.get('/', function(req, res){
const sessionCookie = req.cookies.__session || "";
console.log("sessionCookie = ",sessionCookie);
admin.auth().verifySessionCookie(sessionCookie, true /** checkRevoked */)
.then(() => {
res.render('home.ejs', { title: "home - Sushanth Tests"});
}).catch((error) => {
res.redirect("/login");
});
});
app.get('/login', function(req, res){
console.log("req.cookies=",req.cookies);
res.render('login.ejs', { title: "login - Sushanth Tests", pageID: "login"})
});
来源:https://stackoverflow.com/questions/65580905/firebase-hosting-cookie-behaviours