CSRF middleware #1
Comments
|
I don't. But it should be fairly possible to spawn one based on cookie session invented here. |
|
I tired implementing a CSRF middleware using your cowboy_session rambocoder@b26980d however, the catch is that I need to read POST["_csrf"] and I do that using cowboy_req:body_qs/1 in the middleware module, however in the page handler, I tried to read the other body values again and cowboy_req:body_qs/1 becomes useless, since Cowboy only allows you to read body_qs once :( The fact that body_qs can be read only once, and that there is no way to pass additional data from middleware to handler's in a clean way, it just makes sense to not have CSRF as middleware but to implement it in specific handlers. |
|
ninenines/cowboy#502 |
|
If we have middleware that will parse the body, how could we passed the body information to the next middleware or to the handler? Using request meta? |
|
I base on the point that security is unsured by passing CSRF in secure encrypted cookie so that it can't be snooped. If we change CSRF in session every time, it is not guessable outside and we can pass token via querystring. |
|
@rambocoder Sorry to hijack this, but you sent me an email, I sent you a reply, and your ClamAV seems to reject all my emails to you. |
|
FYI angular.js technique: |
Vladimir, do you know if somebody created a CSRF prevention middleware for Cowboy?
The text was updated successfully, but these errors were encountered: