CsrfTokenGeneratorMatcher sets cookie domain from serverName; incorrect behind API gateways. Please make domain configurable or forward-headers-aware

[kamonkaushals sd]

Problem :

cher.csrf.CsrfTokenGeneratorMatcher sets the CSRF token cookie’s domain using webContext.getServerName(). Behind an API gateway/reverse proxy, the backend server name often differs from the external host (e.g., internal-service vs app.example.com), so the browser ignores the cookie, breaking CSRF protection.

Expected: CSRF cookie domain should match the external host (e.g., from Host/Forwarded/X-Forwarded-Host) or be configurable. Alternatively, omit domain to use a host-only cookie.

Actual: Domain is derived from backend server name, causing the cookie to be unusable in browsers when proxied.

Affected versions:

pac4j-core: 6.2.2
org.pac4j :13.0.0-PLAY3.0

[kamonkaushals sd]

related class is org.pac4j.core.matching.matcher.csrf.CsrfTokenGeneratorMatcher not  cher.csrf.CsrfTokenGeneratorMatcher, sorry for typo error. 

[Jérôme LELEU]

Hi,

You can override default matchers by reusing the same name: https://www.pac4j.org/docs/matchers.html#3-default-matchers and set the domain in the CsrfTokenGeneratorMatcher component.

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/pac4j-dev/02b35caa-e2e7-44e3-8835-3f940ebce929n%40googlegroups.com.

[kamonkaushals sd]

Hi  Jérôme

It possible to provide API gateway compatible solution as parent implementation though new PR.

Best regards,
 Kaushal

[Jérôme LELEU]

Hi,

Please submit a PR.

The discussion will be much easier.

Thanks.

Best regards,

Jérôme

To view this discussion visit https://groups.google.com/d/msgid/pac4j-dev/fd0534e3-7578-4853-84a4-4b986f119e0en%40googlegroups.com.