Move CSRF implementation into session #1963

sethvargo · 2021-03-30T20:27:55Z

This drops the need for two separate cookies to maintain CSRF and removes a few layers of indirection for CSRF handling. CSRF values are now also tied to session duration.

This intentionally leaves the configuration and secret in place until the next release to provide a seamless transition.

Release Note

Move CSRF implementation into session.

This drops the need for two separate cookies to maintain CSRF and removes a few layers of indirection for CSRF handling. CSRF values are now also tied to session duration. This intentionally leaves the configuration and secret in place until the _next_ release to provide a seamless transition.

sethvargo requested review from mikehelmick and whaught March 30, 2021 20:27

sethvargo requested a review from a team as a code owner March 30, 2021 20:27

google-cla bot added the cla: yes Auto: added by CLA bot when all committers have signed a CLA. label Mar 30, 2021

sethvargo enabled auto-merge (squash) March 30, 2021 20:28

sethvargo force-pushed the sethvargo/csrf branch from 2773f9f to a61c434 Compare March 30, 2021 20:28

mikehelmick approved these changes Mar 31, 2021

View reviewed changes

sethvargo merged commit 761ca06 into main Mar 31, 2021

sethvargo deleted the sethvargo/csrf branch March 31, 2021 17:36

github-actions bot locked as resolved and limited conversation to collaborators Apr 2, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Move CSRF implementation into session #1963

Move CSRF implementation into session #1963

sethvargo commented Mar 30, 2021

Move CSRF implementation into session #1963

Move CSRF implementation into session #1963

Conversation

sethvargo commented Mar 30, 2021