security.csrfProtection = 'session' - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28) +--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30) +--- Thread: security.csrfProtection = 'session' (/showthread.php?tid=81018) |
security.csrfProtection = 'session' - donpwinston - 01-14-2022 Does anyone know the advantages or disadvantages of this setting? security.csrfProtection = 'session' RE: security.csrfProtection = 'session' - kenjis - 01-14-2022 As you already posted 'cookie' is weaker than 'session'. https://forum.codeigniter.com/thread-80877.html session advantage: - safer than cookie - If an attacker can inject a cookie to a user's browser, Cookie based CSRF protection is nullified. - It is easier to inject a cookie than to manipulate session data. cookie advantage: - stateless - No need to have the state in the server. RE: security.csrfProtection = 'session' - donpwinston - 01-15-2022 (01-14-2022, 04:33 PM)kenjis Wrote: As you already posted 'cookie' is weaker than 'session'. Thanks. Dealing with all this security stuff is new to me. |