Multiple _gorilla_csrf cookies create an issue

[positiveojm]

Hello, I'm pretty new to the community. I was trying to figure this out on my own and I just can't figure it out so here I go...

I've been using gorilla/csrf in the past 3 years without an issue both in dev and prod environments. All of a sudden I get "Forbidden - CSRF token invalid" error in both environments. This error is inconsistent. If I delete all the cookies and make a new POST request, sometimes it works, sometimes it doesn't work.

What I see is that when it works, I have only 1 "_gorilla_csrf" cookie. When it doesn't work, I have 7 "_gorilla_csrf" cookies with different "path" values like /, /css, /image, /js, etc.

This is happening in both Chrome and Firefox.

Go version: go version go1.13.5 linux/amd64

package version: 9565ae2

…

httpOnly_REMOVED := csrf.Secure(false)
CSRF := csrf.Protect([]byte("32-byte-long-auth-key"), httpOnly_REMOVED) //32 byte key
http.ListenAndServe(":"+blogConfig.ServerPort, CSRF(mux))
…

Thank you for your time reading and answering my question!

[elithrar]

Cookies are scoped to a domain *and* path. I don’t know what application changes you may have made, but you should set the csrf.Path option to the parent path of your application if you need to pass the CSRF token to multiple locations.

[positiveojm]

Hi elithrar,

Your comment helped me realize that I did recently add another web server to my sub domain and these web servers on different sub domains were creating _gorilla_csrf cookies which failed to authentitcate.

thank you for your help 👍