security.csrfProtection = 'session' |
Does anyone know the advantages or disadvantages of this setting?
security.csrfProtection = 'session'
Simpler is always better
As you already posted 'cookie' is weaker than 'session'.
https://forum.codeigniter.com/thread-80877.html session advantage: - safer than cookie - If an attacker can inject a cookie to a user's browser, Cookie based CSRF protection is nullified. - It is easier to inject a cookie than to manipulate session data. cookie advantage: - stateless - No need to have the state in the server.
(01-14-2022, 04:33 PM)kenjis Wrote: As you already posted 'cookie' is weaker than 'session'. Thanks. Dealing with all this security stuff is new to me.
Simpler is always better
|
Welcome Guest, Not a member yet? Register Sign In |