New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Yii2] Cookie signing #4656

Closed
SamMousa opened this Issue Nov 30, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@SamMousa
Collaborator

SamMousa commented Nov 30, 2017

What are you trying to achieve?

I'd like to use $I->setCookie() without disabling Yii's cookie validation.

What do you get instead?

The Yii request object filters unsigned cookies.

Details

This could be solved by overriding setCookie in the Yii2 module:

public function setCookie($name, $val, array $params = [])
    {
        // Sign the cookie.
        if ($this->app->request->enableCookieValidation) {
            $val = Yii::$app->getSecurity()->hashData(serialize([$name, $val]), $this->app->request->cookieValidationKey);
        }
        parent::setCookie($name, $val, $params);
    }

The issue is not a technical one, but more a philosophical one: Do we want to support these security features during testing? In my opinion disabling them increases changes of a misconfiguration ending up in production somewhere.

@samdark samdark added the Yii label Nov 30, 2017

@samdark

This comment has been minimized.

Collaborator

samdark commented Nov 30, 2017

Yes. Would be good if it will work out of the box.

SamMousa added a commit to SamMousa/Codeception that referenced this issue Dec 12, 2017

@SamMousa

This comment has been minimized.

Collaborator

SamMousa commented Dec 12, 2017

See PR #4684

@samdark samdark closed this Dec 14, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment