[5.2] Set HttpOnly flag #12809
[5.2] Set HttpOnly flag #12809
Conversation
Depending on pull request laravel/laravel#3697 then : we need also to update line 138 , so it reads the http only from session config file, then this value can not be readable bu javascript
|
Why are you not also updating the actual session cookie in StartSession? |
|
as i mentioned, each cookie in laravel will stored using "Illuminate\Cookie\CookieServiceProvider" class that will return a single instance from "Illuminate\Cookie\CookieJar". make function take by default true value for httpOnly flag, so we need to path it from CookieServiceProvider class, so the register function will be modified to contain http only flag from session configuration. Then we need to add httpOnly class attribute for CookieJar class, this value will be by deafult true and then will take the value from session config while registering "CookieServiceProvider " At class CookieJar , line 58
Finally: to Apply theses settings we need to store cookies using the service provider "CookieServiceProvider ", so we need to change the Class "VerifyCsrfToken" and make session using the provider. I'm so sorry as i can not solve the styleCI. Regards. |
|
I'm also set the flag in the start session by using cookie service provider. |
|
I'v updated session start, you can review it now On Mon, Mar 21, 2016 at 4:15 PM, Taylor Otwell notifications@github.com
|
| * | ||
| * @var bool | ||
| */ | ||
| protected $httpOnly = true; |
There was a problem hiding this comment.
As I mentioned in #12818 (comment)
Making this default to true while previously it's default to false in a patch release should be consider as breaking change.
There was a problem hiding this comment.
The default value was true, and it can be override by passing another value to make function. Now all we make that we read this value from session config
There was a problem hiding this comment.
The default value was true
How can you say that when the changelog clearly shows the opposite.
There was a problem hiding this comment.
and it can be override by passing another value to make function.
When anyone upgrade from say v5.2.24 to v5.2.25 (if this get accepted). People shouldn't be worry about any configuration change and everything should works as it was before.
There was a problem hiding this comment.
OK that,s right . I,ll update the cookie service provider file to keep it as previously settings.
| */ | ||
| protected $httpOnly = true; | ||
|
|
||
| /** |
|
What is the status of this? |
|
i'v updated the code so we keep the previous behavior without change and test it locally, you can run test and provide me with feedback. |
There still a mix-and-match between of |
|
Probs best doing this on 5.3 @taylorotwell. |
|
This is the current behavior: The XSRF cookie has never http_only and the normal cookie is always http_only in the current situation. This pull request will keep this intact, but will add an option to set http_only in your config. |
But with this changes, if the user set the |
|
@crynobone the http_only setting will be applied on all cookies with the PR... Don't know if this is intended/wanted behavior though... |
|
yes by default , xsrf will be set to false and session ID will set to true, and when define HTTP_only flag in session config will apply to all cookies. |
|
@taylorotwell your feedback please ? |
Depending on pull request
laravel/laravel#3697
then :
we need also to update line 138 , so it reads the http only from session config file, then this value can not be readable bu javascript