My goal is to do programmatically logout from controller. I use this nice solution. Everything works fine except that LONGSESS (renamed REMEMBERME) cookie not deleted. It deleted but not :)
Logout in controller code:
$response = $this->redirectToRoute('homepage');
$response->headers->clearCookie('LONGSESS');
return $response;
So, call this action.
Request headers for this action (as expected):
Cookie SESS=n4jbl1m61l6bceesbeusrbq044; LONGSESS=QXBwQnVuZGxlXEVudGl0eVxVc2VyOmRYTmxja0IxYzJWeUxtTnZiUT09OjE0NDgyMDMyMjQ6ZTFhNzBlNGEyMWM4NGM3N2UzYmI3ZmJiNWIzMGM5MDg2ZDAyOWY1ZGVhMWI4NTYyNGQ0OTJmNjVmNmRjOTY2NQ%3D%3D
Response headers to this action (as expected):
Set-Cookie:SESS=ai1gt79r49o184du3tknv7tdf6; path=/; domain=.myhost.local
Set-Cookie:LONGSESS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
Set-Cookie:SESS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
Redirect headers (as expected):
Location:/app_dev.php/
Next request headers to homepage (NOT as expected - LONGSESS value is the same as previous request):
Cookie:LONGSESS=QXBwQnVuZGxlXEVudGl0eVxVc2VyOmRYTmxja0IxYzJWeUxtTnZiUT09OjE0NDgyMDMyMjQ6ZTFhNzBlNGEyMWM4NGM3N2UzYmI3ZmJiNWIzMGM5MDg2ZDAyOWY1ZGVhMWI4NTYyNGQ0OTJmNjVmNmRjOTY2NQ%3D%3D; SESS=ai1gt79r49o184du3tknv7tdf6
So user is not logged out.
How may it be? LONGSESS cookie set to deleted, expired but next request has the same value?
The solution is to set third argument domain in clearCookie method call. It have to be equals to domain in session settings:
framework:
session:
cookie_domain: YOUR-DOMAIN.COM
and
firewalls:
your_firewall:
remember_me:
domain: YOUR-DOMAIN.COM
So, the right way:
$response->headers->clearCookie('LONGSESS', '/', 'YOUR-DOMAIN.COM');
Have you tried:
$response->sendHeaders();
right after:
$response->headers->clearCookie('LONGSESS');
?
Related
I use set_cookie function and set TTL to 10 seconds.
Example response from server:
Set-Cookie: COOKIE_10=VALUE; expires=Sun, 07-Nov-2021 16:40:43 GMT; Max-Age=10; path=/
After that I checked cookie expiry time in TOR browser:
"Expires": "At the end of the session",
"Expires raw": "0",
It's always "At the end of the session"
I checked in Chrome and cookie expiry time working fine.
Is any way to make TOR set expiry date correctly?
Tor default settings
If you open about:config, and search for Network.cookie.lifetimePolicy, you can see the value is set to 2.
Change it to 0 to let it be supplied by the server. You can read more about it here: http://kb.mozillazine.org/Network.cookie.lifetimePolicy
I have a strange issue where after I regenerate a session ID using
session_regenerate_id(true);
The cookie seems to lose its "Secure, HttpOnly" flags.
I can reset the cookie by using
$params = session_get_cookie_params();
setcookie("PHPSESSID", session_id(), 0, $params["path"], $params["domain"],
true, // this is the secure flag you need to set. Default is false.
true // this is the httpOnly flag you need to set
);
but veracode (who we use for security testing) is flagging it at unsure because the first cookie (the one that is regenerated) does not have the secure, HttpOnly tags in the header.
Here is the sample header
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Tue, 06 Nov 2018 12:56:41 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=98
Location: home.php
Pragma: no-cache
Server: Apache
Set-Cookie: PHPSESSID=18a289a6c8d34b0df72dafc9d5e12c92; path=/
Set-Cookie: PHPSESSID=18a289a6c8d34b0df72dafc9d5e12c92; path=/; secure; HttpOnly
Veracode is flagging the issue because the first cookie - does not have the secure, httpOnly tags. I guess its only reading the first, or it feels that them not showing up by default is insecure..How do I go about forcing those tags on a regenerated session? Or is there a better way to achieve what they ask? Here is my code.
session_start();
$_SESSION = array();
session_unset();
session_destroy();
session_start(); //Not sure if this is needed
session_regenerate_id(true);
$params = session_get_cookie_params();
setcookie("PHPSESSID", session_id(), 0, $params["path"], $params["domain"],
true, // this is the secure flag you need to set. Default is false.
true // this is the httpOnly flag you need to set
);
In your local folder PHP.ini settings (typically called user.ini and found in your root HTML directory of your website account), you can set the PHP.ini values:
session.cookie_secure=1
session.cookie_httponly=1
session.use_only_cookies=1
and this will mean any usage of session cookies by this account (this website) will conform to the above requirements.
This is much better than coding these reqirements in to your scripts as this can be easily missed or overlooked down the line.
Your script can then be:
session_start();
...
session_regenerate_id(true);
And you will know everything else will be taken care of automatically.
You can read a little more about session security HERE.
You can
session_set_cookie_params ( int $lifetime [, string $path
[, string $domain [, bool $secure = FALSE [, bool $httponly = FALSE ]]]] )
before session_start()
The session_unset, destroy and start is not needed then. Also don't assign a value to $_SESSION as you are overwriting the session data.
https://secure.php.net/manual/en/function.session-set-cookie-params.php
How do I get the CSRF token in Yii without setting the _csrf token? I tried many things, but nothing works. Each time I try to access the CSRF token, it sets a cookie.
<?//= Html::csrfMetaTags() // sets _csrf cookie. prevents Fastly CDN caching. ?>
<?php
$this->registerMetaTag(['name' => 'csrf-param', 'content' => '_csrf']);
$this->registerMetaTag(['name' => 'csrf-token', 'content' => 'xxx']);
Yii::$app->request->csrfToken;
?>
Yields
$ curl -I http://localhost:81/xxx/web/shopping/search?q=toaster
...
Set-Cookie: _csrf=0fe1db8822f87506dd00feefb32438ffee24116b4ec717287e23422d81feb32ea%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22DkE4S5EYilTEkubAr-dWda5CV0y5XCEp%22%3B%7D; path=/; httponly
It doesn't set the cookie when I comment out Yii::$app->request->csrfToken;. I've also tried unsetting the cookie immediately afterward, but it sends Set-Cookie: _csrf=delete; expires=Thu, 01-Jan-1970 00:00:01 GMT; to the browser then. I also tried setting $enableCsrfCookie to false, but then it sets PHPSESSID cookie.
I need the CSRF meta tags for the logout link, which uses POST and Javascript to submit. The forms work OK as they insert the CSRF into the <form> tags.
I discovered that there is a second parameter to remove() which prevents sending to the browser, so I can get the token, then immediately delete the cookie.
Yii::$app->response->cookies->remove('_csrf', false);
I am debugging an issue with a Magento system.
The problem is a duplicated Set-Cookie header, like this:
Set-Cookie: flimmit_session=search-0c30086b812519b006aa27ef4f37f15b-24; path=/; domain=.flimmit.com; httponly
Set-Cookie: flimmit_session=search-0c30086b812519b006aa27ef4f37f15b-24; path=/; domain=.flimmit.com; httponly
The cookie is set using php's setcookie command. My question is whether the incorrect use of this function can result in a duplicate Set-Cookie header, or whether I have to look somewhere else for the error...
Yes, calling setcookie() twice with the same data will result in 2 identical Set-Cookie: headers. I have just tried it, and it does.
It shouldn't cause a problem though, the cookie will always have the value defined by the last setcookie() call...
I login to a website and it returns a cookie via the header.
The cookies name is fb_cookie. I try to read it with the below PHP code but it returns nothing. How can I fetch a cookie set via the header?
echo $_COOKIE["fb_cookie"];
The response is this from the header (read by the Poster plugin in Firefox).
fb_cookie=1554e662b9914b5d640d655f-627185705%7C6LneHfe-wWAworIG2hTHSzxuqkw.; path=/; expires=Thu, 07-Jul-2011 12:57:05 GMT _lambda_session=BAh7BzoMdXNlcl9pZGkBkToPc2Vzc2lvbl9pZCIlOGY2Y2U2ZDhlMDcyNTdjMDM4ZjYyNjQ4ZmU5OGU1ZTU%3D--3e60eb15a406a9320f7ab83fb7e0866198f4b6c7; path=/; HttpOnly
Please help!
$_COOKIE contains the cookies the user sends to your PHP page. You want the cookie which another page sends to you.
If you use curl to retrieve the page, the CURLOPT_COOKIEJAR option may help.