From 59449d8caf3c63ce2dba66267710e07621ceb733 Mon Sep 17 00:00:00 2001
From: orvice <orvice@gmail.com>
Date: Fri, 14 Jan 2022 14:35:07 +0800
Subject: [PATCH 1/2] fix too many forward_auth cookies

---
 internal/server.go | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/internal/server.go b/internal/server.go
index 2e20df53..c26c6a90 100644
--- a/internal/server.go
+++ b/internal/server.go
@@ -3,6 +3,7 @@ package tfa
 import (
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/containous/traefik/v2/pkg/rules"
 	"github.com/sirupsen/logrus"
@@ -224,9 +225,20 @@ func (s *Server) authRedirect(logger *logrus.Entry, w http.ResponseWriter, r *ht
 		return
 	}
 
-	// Set the CSRF cookie
-	csrf := MakeCSRFCookie(r, nonce)
-	http.SetCookie(w, csrf)
+	var setCsrfCookie = true
+	var csrf *http.Cookie
+	// Check for existing CSRF cookie
+	for _, v := range r.Cookies() {
+		if strings.Contains(v.Name, config.CSRFCookieName) {
+			setCsrfCookie = false
+		}
+	}
+
+	if setCsrfCookie {
+		// Set the CSRF cookie
+		csrf := MakeCSRFCookie(r, nonce)
+		http.SetCookie(w, csrf)
+	}
 
 	if !config.InsecureCookie && r.Header.Get("X-Forwarded-Proto") != "https" {
 		logger.Warn("You are using \"secure\" cookies for a request that was not " +

From 683a5fcbeb97b0dc195049e88ea2b94f6c06cc3f Mon Sep 17 00:00:00 2001
From: orvice <orvice@gmail.com>
Date: Fri, 14 Jan 2022 16:10:51 +0800
Subject: [PATCH 2/2] fix missing csrf cookie

---
 internal/server.go | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/internal/server.go b/internal/server.go
index c26c6a90..0ca66996 100644
--- a/internal/server.go
+++ b/internal/server.go
@@ -225,20 +225,15 @@ func (s *Server) authRedirect(logger *logrus.Entry, w http.ResponseWriter, r *ht
 		return
 	}
 
-	var setCsrfCookie = true
-	var csrf *http.Cookie
-	// Check for existing CSRF cookie
+	// clean existing CSRF cookie
 	for _, v := range r.Cookies() {
 		if strings.Contains(v.Name, config.CSRFCookieName) {
-			setCsrfCookie = false
+			http.SetCookie(w, ClearCSRFCookie(r, v))
 		}
 	}
-
-	if setCsrfCookie {
-		// Set the CSRF cookie
-		csrf := MakeCSRFCookie(r, nonce)
-		http.SetCookie(w, csrf)
-	}
+	// Set the CSRF cookie
+	csrf := MakeCSRFCookie(r, nonce)
+	http.SetCookie(w, csrf)
 
 	if !config.InsecureCookie && r.Header.Get("X-Forwarded-Proto") != "https" {
 		logger.Warn("You are using \"secure\" cookies for a request that was not " +