_csrf and phpsessid cookies- set secure flag to true


(Ammonstt) #1

the secure flags for _csrf and phpsessid cookies are set to false by default- how do i change these to true.

thanks


(Softark) #2

Hi @parasporin,

The csrf protection is enabled by default in Yii 2.
And although I’m not very sure what you concern about with the word “phpsessid”, Yii 2 has no vulnerability against session hijacking and session fixation attacks and has no “switch” regarding them.


(Ammonstt) #3

thanks for the reply
I am developing a web app for my use at a university. The university ran a security audit and it said the PHPSESSID and _csrf cookies’ secure flags are set to false and that i need to set them to true. I checked these cookies, and the secure flags are set to false. Is it possible through the config file or something to set them to true?


(Softark) #4

Please check the API reference of yii\web\Cookie (https://www.yiiframework.com/doc/api/2.0/yii-web-cookie)

It has a property called secure (https://www.yiiframework.com/doc/api/2.0/yii-web-cookie#$secure-detail). It is false by default, as you said.

You can set it to true in your application config, if your site is running on https.


(Ammonstt) #5

thanks for your reply- i had read the api on cookies and saw the secure property, however it was my understanding that, at least up to 2017, it was only possible to set this property at the object level (https://github.com/samdark/yii2-cookbook/blob/master/book/cookies.md) and not at the application level (how to set ALL cookies httpOnly and secure).
Can you give me example syntax for how to set the secure flag for PHPSESSID and _csrf cookies in the config file?

thanks


(Softark) #6

I see. I didn’t know that.

I’m not sure, but probably Session::cookieParams may solve the problem as far as PHPSESSID is concerned.

As for csrf, I think you can try yii\web\Request::csrfCookie
https://www.yiiframework.com/doc/api/2.0/yii-web-request#$csrfCookie-detail

Would you please check them and tell me the result?


(Ammonstt) #7

I looked at the api and tooled around a bit with your suggestions, but no luck. Problem is that i am a biochemist at a university, with no computer training (which says a LOT for Yii), so it is unlikely i can easily crack this. I only allow Https traffic to
the site, so not sure this is a big issue and maybe university security will give things a pass. Anyway, if you come across a way to set the secure flag for Yii-generated cookies, please pass it on.

thanks again.


(Softark) #8

Please try adding 'httpOnly' => true, 'secure'=>true to the configuration of Request::csrfCookie and Session::cookieParams in your config/web.php like the following:

    'components' => [
        'request' => [
            // !!! insert a secret key in the following (if it is empty) - this is required by cookie validation
            'cookieValidationKey' => 'xxx...xxx',
            'csrfCookie' => [
                'httpOnly' => true,
                'secure' => true,
            ],
        ],
        ...
        'session' => [
            'class' => 'yii\web\DbSession',
            'timeout' => '600',
            'cookieParams' => [
                'httpOnly' => true,
                'secure' => true,
            ],
        ],

Something like this worked for me for ‘PHPSESSID’ and ‘_csrf’ cookies.

BTW, you have been right to say that we can not set those settings to ALL Cookies globally. For example, if you enables “Remember Me” feature in the login form, it may create a non-secure cookie named ‘_identity’.


(Ammonstt) #9

I had tried this from your earlier suggestion and it ‘did not work’. Actually, i think i was just using firefox’s inspector incorrectly (learning as i go). Looking at the response cookie from the server, it will show httpOnly and secure as true based on config
file code you suggested- so i think that should do it.

Many thanks for your help and time!!


(Softark) #10

Thank you, @parasporin. Actually it was you that taught me. I learned a lot on this matter from the conversation with you. Thank you.