From ee7e5ab6a895caad50c746a7ecc0e67ceac78af0 Mon Sep 17 00:00:00 2001
From: zh199225 <zh199225@qq.com>
Date: Thu, 19 Aug 2021 13:08:29 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=AD=A3=EF=BC=9AXSRFToken=E5=87=BD?=
 =?UTF-8?q?=E6=95=B0=E5=9C=A8=E7=89=B9=E5=AE=9A=E6=83=85=E5=86=B5=E4=B8=8B?=
 =?UTF-8?q?=E4=BC=9A=E4=BA=A7=E7=94=9F=E5=A4=9A=E4=B8=AA=E4=B8=8D=E5=90=8C?=
 =?UTF-8?q?Path=E7=9A=84=5Fxsrf=E5=90=8C=E5=90=8Dcookie?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

例如：访问”/login“页面，有个表单，此时会产生一个_xsrf cookie，Path为”/“，此时手动删除_xsrf cookie，Post提交到“/test/post”，会报错expected XSRF not found；后退到”/login“页面，会产生一个Path为”/login“的_xsrf cookie，然后访问"/"根页面，再回到"/login"页面，这时会产生两个_xsrf cookie，Path分别为"/"和”/login"，再向"/test/post"页面提交，后端就可能读到错误的_xsrf cookie造成XSRF验证失败。
在XSRFToken函数中，将SetSecureCookie函数中的Path参数固定为"/"，可以解决这个问题
---
 server/web/context/context.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/web/context/context.go b/server/web/context/context.go
index f55112c8..42cc4035 100644
--- a/server/web/context/context.go
+++ b/server/web/context/context.go
@@ -270,7 +270,7 @@ func (ctx *Context) XSRFToken(key string, expire int64) string {
 		if !ok {
 			token = string(utils.RandomCreateBytes(32))
 			// TODO make it configurable
-			ctx.SetSecureCookie(key, "_xsrf", token, expire, "", "")
+			ctx.SetSecureCookie(key, "_xsrf", token, expire, "/", "")
 		}
 		ctx._xsrfToken = token
 	}