Let CSRF Token Be Available #2523

zmetcalf · 2018-03-02T18:42:50Z

I am not sure if this is an issue or just a lack of understanding on my part, but the CRAFT_CSRF_TOKEN cookie is set as httpOnly on this line:

Line 103 in d8e0232

'httpOnly' => true

after being called from here:

Line 42 in ad74028

$request->csrfCookie = Craft::cookieConfig([], $request);

Should this cookie be hidden from JavaScript? If it isn't available to JavaScript, why is it there?

zmetcalf · 2018-03-02T21:05:47Z

Also, as a follow up question, is there a better way to force the session other than putting the {{ csrfInput()}} in the template? (re: #1765)

angrybrad · 2018-03-06T00:25:38Z

Should this cookie be hidden from JavaScript?

Yes, by default. It's reduces attack surface and most installs don't need access to it from JS.

If you have an explicit need where you need to, you can override component behavior in craft/config/app.php.

is there a better way to force the session other than putting the {{ csrfInput()}} in the template?

You can use `{{ craft.app.session.open() }}

zmetcalf · 2018-03-06T14:23:28Z

brandonkelly assigned angrybrad Mar 4, 2018

brandonkelly added the question label Mar 4, 2018

angrybrad closed this as completed Mar 6, 2018

Provide feedback