+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: security.csrfProtection = 'session' (/showthread.php?tid=81018)
security.csrfProtection = 'session' - donpwinston - 01-14-2022
Does anyone know the advantages or disadvantages of this setting?
security.csrfProtection = 'session'
RE: security.csrfProtection = 'session' - kenjis - 01-14-2022
As you already posted 'cookie' is weaker than 'session'.
https://forum.codeigniter.com/thread-80877.html
session advantage:
- safer than cookie
- If an attacker can inject a cookie to a user's browser, Cookie based CSRF protection is nullified.
- It is easier to inject a cookie than to manipulate session data.
cookie advantage:
- stateless
- No need to have the state in the server.
RE: security.csrfProtection = 'session' - donpwinston - 01-15-2022
(01-14-2022, 04:33 PM)kenjis Wrote: As you already posted 'cookie' is weaker than 'session'.
https://forum.codeigniter.com/thread-80877.html
session advantage:
- safer than cookie
- If an attacker can inject a cookie to a user's browser, Cookie based CSRF protection is nullified.
- It is easier to inject a cookie than to manipulate session data.
cookie advantage:
- stateless
- No need to have the state in the server.
Thanks. Dealing with all this security stuff is new to me.