New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Yii2] Cookie signing #4656

SamMousa opened this Issue Nov 30, 2017 · 2 comments


None yet
2 participants

SamMousa commented Nov 30, 2017

What are you trying to achieve?

I'd like to use $I->setCookie() without disabling Yii's cookie validation.

What do you get instead?

The Yii request object filters unsigned cookies.


This could be solved by overriding setCookie in the Yii2 module:

public function setCookie($name, $val, array $params = [])
        // Sign the cookie.
        if ($this->app->request->enableCookieValidation) {
            $val = Yii::$app->getSecurity()->hashData(serialize([$name, $val]), $this->app->request->cookieValidationKey);
        parent::setCookie($name, $val, $params);

The issue is not a technical one, but more a philosophical one: Do we want to support these security features during testing? In my opinion disabling them increases changes of a misconfiguration ending up in production somewhere.

@samdark samdark added the Yii label Nov 30, 2017


This comment has been minimized.


samdark commented Nov 30, 2017

Yes. Would be good if it will work out of the box.

SamMousa added a commit to SamMousa/Codeception that referenced this issue Dec 12, 2017


This comment has been minimized.


SamMousa commented Dec 12, 2017

See PR #4684

@samdark samdark closed this Dec 14, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment