fix: use CSRFExpire instead of Expire for CSRF cookie validation (#3369)

* fix: use CSRFExpire instead of Expire for CSRF cookie validation Signed-off-by: Br1an67 <932039080@qq.com> * doc: add changelog entry for #3369 Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Br1an67 <932039080@qq.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
2026-03-18 22:30:07 +08:00 · 2026-03-18 22:30:07 +08:00 · ff357daa04
parent 7c96234233
commit ff357daa04
3 changed files with 27 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -13,6 +13,7 @@
 - [#2685](https://github.com/oauth2-proxy/oauth2-proxy/pull/2685) feat: allow arbitrary claims from the IDToken and IdentityProvider UserInfo endpoint to be added to the session state (@vegetablest)
 - [#3278](https://github.com/oauth2-proxy/oauth2-proxy/pull/3278) feat: possibility to inject id_token in redirect url during sign out (@albanf)
 - [#2851](https://github.com/oauth2-proxy/oauth2-proxy/pull/2851) feat: add support for specifying allowed OIDC JWT signing algorithms (#2753) (@andoks / @tuunit)
+- [#3369](https://github.com/oauth2-proxy/oauth2-proxy/pull/3369) fix: use CSRFExpire instead of Expire for CSRF cookie validation (@Br1an67)

 # V7.14.3

--- a/pkg/cookies/csrf.go
+++ b/pkg/cookies/csrf.go
@ -234,7 +234,7 @@ func decodeCSRFCookie(cookie *http.Cookie, opts *options.Cookie) (*csrf, error)
 		return nil, fmt.Errorf("error getting cookie secret: %v", err)
 	}

-	val, t, ok := encryption.Validate(cookie, secret, opts.Expire)
+	val, t, ok := encryption.Validate(cookie, secret, opts.CSRFExpire)
 	if !ok {
 		return nil, errors.New("CSRF cookie failed validation")
 	}
--- a/pkg/cookies/csrf_test.go
+++ b/pkg/cookies/csrf_test.go
@ -119,9 +119,33 @@ var _ = Describe("CSRF Cookie Tests", func() {
 				Value: encoded,
 			}

-			_, _, valid := encryption.Validate(cookie, cookieOpts.Secret, cookieOpts.Expire)
+			_, _, valid := encryption.Validate(cookie, cookieOpts.Secret, cookieOpts.CSRFExpire)
 			Expect(valid).To(BeTrue())
 		})
+
+		It("validates CSRF token using CSRFExpire when Expire is lower", func() {
+			// Set Expire to be much lower than CSRFExpire
+			cookieOpts.Expire = time.Second
+			cookieOpts.CSRFExpire = time.Hour
+
+			privateCSRF.OAuthState = []byte(csrfState)
+			privateCSRF.OIDCNonce = []byte(csrfNonce)
+
+			encoded, err := privateCSRF.encodeCookie()
+			Expect(err).ToNot(HaveOccurred())
+
+			cookie := &http.Cookie{
+				Name:  privateCSRF.cookieName(),
+				Value: encoded,
+			}
+
+			// The cookie should still be valid even though Expire is only 1 second
+			decoded, err := decodeCSRFCookie(cookie, cookieOpts)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(decoded).ToNot(BeNil())
+			Expect(decoded.OAuthState).To(Equal([]byte(csrfState)))
+			Expect(decoded.OIDCNonce).To(Equal([]byte(csrfNonce)))
+		})
 	})

 	Context("Cookie Management", func() {