Merge pull request #3 from checkpt/SM/fix-csrf-cookie-build-up

milagan · web-flow · commit e1ad684c5e73 · 2022-02-10T17:55:02.000-05:00
remove all csrf tokens before creating a new one
diff --git a/internal/server.go b/internal/server.go
@@ -3,6 +3,7 @@ package tfa
 import (
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/containous/traefik/v2/pkg/rules"
 	"github.com/sirupsen/logrus"
@@ -83,7 +84,6 @@ func (s *Server) AuthHandler(providerName, rule string) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		// Logging setup
 		logger := s.logger(r, "Auth", rule, "Authenticating request")
-
 		// Get auth cookie
 		c, err := r.Cookie(config.CookieName)
 		if err != nil {
@@ -238,6 +238,12 @@ func (s *Server) authRedirect(logger *logrus.Entry, w http.ResponseWriter, r *ht
 		return
 	}
 
+	for _, v := range r.Cookies() {
+		if strings.Contains(v.Name, config.CSRFCookieName) {
+			http.SetCookie(w, ClearCSRFCookie(r, v))
+		}
+	}
+
 	// Set the CSRF cookie
 	csrf := MakeCSRFCookie(r, nonce)
 	http.SetCookie(w, csrf)
