You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To get session in WebSocket, we need to include _csrf_token in the connection parameters. However, if the CSRF token was generated using Plug.CSRFProtection.get_csrf_token_for/1, the validation will always fail.
Expected behavior
Should using host specific CSRF token succeed in WebSocket session? (unless it's by design for some reason?).
Explaination
This happens in 1.7.10 but I guess it also happens in the main branch. Given the CSRF token validation function used in Phoenix.Socket.Transport is Plug.CSRFProtection.valid_state_and_csrf_token?/2, which only accept the format of the CSRF token to be
Environment
Actual behavior
To get session in WebSocket, we need to include
_csrf_tokenin the connection parameters. However, if the CSRF token was generated usingPlug.CSRFProtection.get_csrf_token_for/1, the validation will always fail.Expected behavior
Should using host specific CSRF token succeed in WebSocket session? (unless it's by design for some reason?).
Explaination
This happens in 1.7.10 but I guess it also happens in the main branch. Given the CSRF token validation function used in
Phoenix.Socket.TransportisPlug.CSRFProtection.valid_state_and_csrf_token?/2, which only accept the format of the CSRF token to beMaybe the following format should also be considered?
The text was updated successfully, but these errors were encountered: