[Question] Where to store the CSRF state token when performing OAuth login?

<p>Hey all,</p> <p>I am following the code in <a href="https://blog.kowalczyk.info/article/f/accessing-github-api-from-go.html" rel="nofollow">this article</a> where in order to login with GitHub, a <code>handleGitHubLogin</code> handler is used for the Oauth request and <code>handleGitHubCallback</code> handler for the callback.</p> <p>In this example, the <code>oauthStateString</code> state token is stored as a global value in the program. Even if the program creates a new random state token on restart, is it safe to use the same state token for all github logins as long as the server is running?</p> <p>I thought that it might be better if <code>handleGitHubLogin</code> creates the state token per request but then my question is, how will <code>handleGitHubCallback</code> be able to check if the state token is the same as the one returned from GitHub?</p> <p>Thank you</p> <hr/>**评论：**<br/><br/>metamatic: <pre><p>Check the <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet" rel="nofollow">CSRF cheat sheet</a>. An HttpOnly cookie is often used.</p></pre>nesigma: <pre><p>Okay I deployed the program in a production server so now it serves HTTPS. The cookie now survives the round trip and works fine!</p> <p>Thanks a lot for the help!</p> <p>Do you happen to know how safe it is from a security perspective to store that state token in a cookie assuming HTTPS? I am using an HttpOnly and secure cookie and an expire time of 5 minutes.</p> <p>Any recommendations or best practices for security?</p></pre>metamatic: <pre><p>Depending on how accurate your server clock is going to be, you might want to set the expiry time shorter. I assume you&#39;re already keeping a server-side list to prevent the cookie being accepted twice (replay attack).</p> <p>You could encrypt and sign the CSRF token for added security, but assuming you&#39;ve made your tokens hard to guess and you&#39;re preventing replay attacks and using OpenID-style OAuth2 token exchange, it&#39;s probably not necessary.</p></pre>nesigma: <pre><blockquote> <p>Depending on how accurate your server clock is going to be, you might want to set the expiry time shorter.</p> </blockquote> <p>I don&#39;t know how accurate a server clock is or how to check that. I am currently deploying on Ubuntu 16.04 but I suppose it could be deployed on any other server. How short are we talking about? How about 30 seconds?</p> <blockquote> <p>I assume you&#39;re already keeping a server-side list to prevent the cookie being accepted twice (replay attack).</p> </blockquote> <p>I have no such mechanism. I am using HTTPS and an HSTS header. Could you elaborate on this please so I can implement it? </p> <p>Right now there&#39;s a login handler and a callback handler. The login handler generates a random string (the oauth state token) using <a href="https://elithrar.github.io/article/generating-secure-random-numbers-crypto-rand/" rel="nofollow">this method</a> and stores it in a Secure, HttpOnly cookie. Then the callback handler searches for that cookie and checks if the state token returned from github matches the cookie value. </p> <p>What kind of list do I need to keep on the server side? What should it prevent?</p> <p>Thanks!</p></pre>nesigma: <pre><p>I set an HttpOnly cookie but when the callback returns the cookie does not exist in the request.</p></pre>metamatic: <pre><p>You&#39;re doing something wrong then. Setting the cookie expire time correctly?</p></pre>nesigma: <pre><p>I&#39;ve tried with no expire time, with 1 hour and 5 minutes but still the same. What&#39;s a good expire time to set for this?</p> <p>Could it be that the cookie does not &#34;survive&#34; the redirect?</p></pre>metamatic: <pre><p>An HttpOnly cookie will survive a round trip to an OAuth authentication endpoint. You&#39;ll have to use the browser debugging tools to work out what&#39;s going on.</p></pre>nesigma: <pre><p>I am already using the dev console. When I get the callback back from github the cookie is not set.</p> <p>If the cookie survives the round trip then I am suspecting that since I am working on localhost, the cookie does not survive changing protocols from HTTPS on github to HTTP on localhost.</p></pre>metamatic: <pre><p>Ah, now I see the problem. <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=56211" rel="nofollow">You can&#39;t set cookies for localhost</a>.</p></pre>nesigma: <pre><p>It&#39;s the same on Firefox. I can set the cookie just fine, it just disappears after the round trip. I think it might be the change of protocols issue.</p></pre>