Skip to content

Host specific CSRF token doesn't work for WebSocket connect_session #5983

Closed as not planned
@hikui

Description

@hikui

Environment

  • Elixir version (elixir -v): 1.16.3
  • Phoenix version (mix deps): 1.7.10
  • Operating system: Linux

Actual behavior

To get session in WebSocket, we need to include _csrf_token in the connection parameters. However, if the CSRF token was generated using Plug.CSRFProtection.get_csrf_token_for/1, the validation will always fail.

Expected behavior

Should using host specific CSRF token succeed in WebSocket session? (unless it's by design for some reason?).

Explaination

This happens in 1.7.10 but I guess it also happens in the main branch. Given the CSRF token validation function used in Phoenix.Socket.Transport is Plug.CSRFProtection.valid_state_and_csrf_token?/2, which only accept the format of the CSRF token to be

<<user_token::@double_encoded_token_size-binary, mask::@encoded_token_size-binary>>,

Maybe the following format should also be considered?

<<@digest, _::binary>> = signed_user_token,

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions