authlib icon indicating copy to clipboard operation
authlib copied to clipboard

Published 20 hours ago verified publisher icon lepture

Session cookie grows indefinitely, results in CSRF Warning.

Open frozturk opened this issue 1 year ago • 3 comments

Describe the bug

When session cookie exceeds 4096 bytes, user is getting CSRF Warning. set_state_data assumes cookie can grow indefinitely

Error

CSRF Warning! State not equal in request and response.'

To Reproduce

Use SessionMiddleware from starlette, ie. fastapi demo. Go to login page several times but never login. Eventually set-cookie will try to write more than 4096 bytes, browsers won't save the cookie, resulting in CSRF error because latest state is not in cookie.

Expected behavior

A cookie should never exceed 4096 bytes, so users can login without CSRF errors.

Additional context

This issue is potentially caused by commit Refactor whole client integrations. · lepture/authlib@179dc8a which were aiming to solve issue Allowing multiple authentication flows in parallel (e.g., in different tabs) · Issue #285 · lepture/authlib

Also see: Browser Cookie Limits: If you want to support most browsers, then don't exceed 50 cookies per domain, and don't exceed 4093** bytes per domain (i.e. total size of all cookies <= 4093 bytes).

frozturk avatar Jan 22 '24 17:01 frozturk

Also reporting the same issue. What I did to solve this in our integration (see https://github.com/gradio-app/gradio/pull/8000) is to catch the MismatchingStateError when it happens and delete all legacy states from the session cookie.

try:
    oauth_info = await oauth.huggingface.authorize_access_token(request)
except MismatchingStateError:
    # Delete all keys that are related to the OAuth state
    for key in list(request.session.keys()):
        if key.startswith("_state_huggingface"):
            request.session.pop(key)

    # Redirect back to login
    return RedirectResponse(login_uri)

Thanks @frozturk when founding out the root cause and hope this snippet will help future users until this bug is fixed.

(Regarding how to fix things in authlib itself, I don't know what should be the best approach. A naive solution is to clear previous states when adding a new one but it might cause (minor) discrepancies if a user is working in several tabs. @lepture Happy to open a PR though if this solution looks fine for you.)

Wauplin avatar Apr 11 '24 09:04 Wauplin

@Wauplin A PR is welcome. Thank you.

lepture avatar Apr 11 '24 13:04 lepture

@lepture I just opened https://github.com/lepture/authlib/pull/644. Please let me know what you think.

Wauplin avatar Apr 11 '24 14:04 Wauplin