问题
I'm building an application in Laravel 5.1 for a client. After I finished the application I got back an pentest report which tells me to add a HttpOnly flag. I added 'secure' => true and 'http_only' => true to app/config/session.php. The httpOnly flag is set for all sessions, except the XSRF-TOKEN session. How am I able to set this flag as well?
回答1:
You are able to overwrite the method addCookieToResponse($request, $response) in App\Http\Middleware\VerifyCsrfToken
/**
* Add the CSRF token to the response cookies.
*
* @param \Illuminate\Http\Request $request
* @param \Illuminate\Http\Response $response
* @return \Illuminate\Http\Response
*/
protected function addCookieToResponse($request, $response)
{
$response->headers->setCookie(
new Cookie('XSRF-TOKEN',
$request->session()->token(),
time() + 60 * 120,
'/',
null,
config('session.secure'),
false)
);
return $response;
}
And do not forget to add
use Symfony\Component\HttpFoundation\Cookie;
回答2:
There is no such thing as a httpOnly flag for a CSRF token, only for cookies.
We need additional information, like the error you get or some code how you set the CSRF token, etc.
Also what do you mean by XSRF-TOKEN session? The session is bound to the user visiting the site, not the token.
回答3:
This can be fixed. If you need http only for token add this to VerifyCsrfToken middleware:
/**
* Add the CSRF token to the response cookies.
*
* @param \Illuminate\Http\Request $request
* @param \Symfony\Component\HttpFoundation\Response $response
* @return \Symfony\Component\HttpFoundation\Response
*/
protected function addCookieToResponse($request, $response)
{
$config = config('session');
$response->headers->setCookie(
new Cookie(
'XSRF-TOKEN', $request->session()->token(), $this->availableAt(60 * $config['lifetime']),
$config['path'], $config['domain'], $config['secure'], true, false, $config['same_site'] ?? null
)
);
return $response;
}
来源:https://stackoverflow.com/questions/33870636/set-httponly-flag-for-csrf-token-in-laravel