Set httpOnly flag for CSRF token in Laravel

孤街浪徒 提交于 2020-12-29 09:57:33

问题


I'm building an application in Laravel 5.1 for a client. After I finished the application I got back an pentest report which tells me to add a HttpOnly flag. I added 'secure' => true and 'http_only' => true to app/config/session.php. The httpOnly flag is set for all sessions, except the XSRF-TOKEN session. How am I able to set this flag as well?


回答1:


You are able to overwrite the method addCookieToResponse($request, $response) in App\Http\Middleware\VerifyCsrfToken

/**
 * Add the CSRF token to the response cookies.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \Illuminate\Http\Response  $response
 * @return \Illuminate\Http\Response
 */
protected function addCookieToResponse($request, $response)
{
    $response->headers->setCookie(
        new Cookie('XSRF-TOKEN',
            $request->session()->token(),
            time() + 60 * 120,
            '/',
            null,
            config('session.secure'),
            false)
    );

    return $response;
}

And do not forget to add

use Symfony\Component\HttpFoundation\Cookie;



回答2:


There is no such thing as a httpOnly flag for a CSRF token, only for cookies.

We need additional information, like the error you get or some code how you set the CSRF token, etc.

Also what do you mean by XSRF-TOKEN session? The session is bound to the user visiting the site, not the token.




回答3:


This can be fixed. If you need http only for token add this to VerifyCsrfToken middleware:

/**
 * Add the CSRF token to the response cookies.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \Symfony\Component\HttpFoundation\Response  $response
 * @return \Symfony\Component\HttpFoundation\Response
 */
protected function addCookieToResponse($request, $response)
{
    $config = config('session');

    $response->headers->setCookie(
        new Cookie(
            'XSRF-TOKEN', $request->session()->token(), $this->availableAt(60 * $config['lifetime']),
            $config['path'], $config['domain'], $config['secure'], true, false, $config['same_site'] ?? null
        )
    );

    return $response;
}


来源:https://stackoverflow.com/questions/33870636/set-httponly-flag-for-csrf-token-in-laravel

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!