Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums CodeIgniter 4 CodeIgniter 4 Support security.csrfProtection = 'session'
security.csrfProtection = 'session'
  • Offline donpwinston
    Web Developer
  • ****
  • Posts: 262
    Threads: 58
    Joined: Jan 2016
    Reputation: 7
#1
01-14-2022, 05:02 AM

Does anyone know the advantages or disadvantages of this setting?
security.csrfProtection = 'session'
Simpler is always better
Reply
  • Offline kenjis
    Administrator
  • *******
  • Posts: 3,245
    Threads: 90
    Joined: Oct 2014
    Reputation: 205
#2
01-14-2022, 04:33 PM

As you already posted 'cookie' is weaker than 'session'.
https://forum.codeigniter.com/thread-80877.html

session advantage:
- safer than cookie
  - If an attacker can inject a cookie to a user's browser, Cookie based CSRF protection is nullified.
  - It is easier to inject a cookie than to manipulate session data.

cookie advantage:
- stateless
  - No need to have the state in the server.
ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper
Reply
  • Offline donpwinston
    Web Developer
  • ****
  • Posts: 262
    Threads: 58
    Joined: Jan 2016
    Reputation: 7
#3
01-15-2022, 02:14 PM

(01-14-2022, 04:33 PM)kenjis Wrote: As you already posted 'cookie' is weaker than 'session'.
https://forum.codeigniter.com/thread-80877.html

session advantage:
- safer than cookie
  - If an attacker can inject a cookie to a user's browser, Cookie based CSRF protection is nullified.
  - It is easier to inject a cookie than to manipulate session data.

cookie advantage:
- stateless
  - No need to have the state in the server.

Thanks. Dealing with all this security stuff is new to me.
Simpler is always better
Reply




Theme © iAndrew 2016 - Forum software by © MyBB