the secure flags for _csrf and phpsessid cookies are set to false by default- how do i change these to true.
thanks
the secure flags for _csrf and phpsessid cookies are set to false by default- how do i change these to true.
thanks
Hi @parasporin,
The csrf protection is enabled by default in Yii 2.
And although Iâm not very sure what you concern about with the word âphpsessidâ, Yii 2 has no vulnerability against session hijacking and session fixation attacks and has no âswitchâ regarding them.
thanks for the reply
I am developing a web app for my use at a university. The university ran a security audit and it said the PHPSESSID and _csrf cookiesâ secure flags are set to false and that i need to set them to true. I checked these cookies, and the secure flags are set to false. Is it possible through the config file or something to set them to true?
Please check the API reference of yii\web\Cookie
(https://www.yiiframework.com/doc/api/2.0/yii-web-cookie)
It has a property called secure
(https://www.yiiframework.com/doc/api/2.0/yii-web-cookie#$secure-detail). It is false
by default, as you said.
You can set it to true
in your application config, if your site is running on https
.
thanks for your reply- i had read the api on cookies and saw the secure property, however it was my understanding that, at least up to 2017, it was only possible to set this property at the object level (https://github.com/samdark/yii2-cookbook/blob/master/book/cookies.md) and not at the application level (how to set ALL cookies httpOnly and secure).
Can you give me example syntax for how to set the secure flag for PHPSESSID and _csrf cookies in the config file?
thanks
I see. I didnât know that.
Iâm not sure, but probably Session::cookieParams
may solve the problem as far as PHPSESSID is concerned.
As for csrf, I think you can try yii\web\Request::csrfCookie
https://www.yiiframework.com/doc/api/2.0/yii-web-request#$csrfCookie-detail
Would you please check them and tell me the result?
I looked at the api and tooled around a bit with your suggestions, but no luck. Problem is that i am a biochemist at a university, with no computer training (which says a LOT for Yii), so it is unlikely i can easily crack this. I only allow Https traffic to
the site, so not sure this is a big issue and maybe university security will give things a pass. Anyway, if you come across a way to set the secure flag for Yii-generated cookies, please pass it on.
thanks again.
Please try adding 'httpOnly' => true, 'secure'=>true
to the configuration of Request::csrfCookie
and Session::cookieParams
in your config/web.php like the following:
'components' => [
'request' => [
// !!! insert a secret key in the following (if it is empty) - this is required by cookie validation
'cookieValidationKey' => 'xxx...xxx',
'csrfCookie' => [
'httpOnly' => true,
'secure' => true,
],
],
...
'session' => [
'class' => 'yii\web\DbSession',
'timeout' => '600',
'cookieParams' => [
'httpOnly' => true,
'secure' => true,
],
],
Something like this worked for me for âPHPSESSIDâ and â_csrfâ cookies.
BTW, you have been right to say that we can not set those settings to ALL Cookies globally. For example, if you enables âRemember Meâ feature in the login form, it may create a non-secure cookie named â_identityâ.
I had tried this from your earlier suggestion and it âdid not workâ. Actually, i think i was just using firefoxâs inspector incorrectly (learning as i go). Looking at the response cookie from the server, it will show httpOnly and secure as true based on config
file code you suggested- so i think that should do it.
Many thanks for your help and time!!
Thank you, @parasporin. Actually it was you that taught me. I learned a lot on this matter from the conversation with you. Thank you.