php 在Laravel中为CSRF令牌设置httpOnly标志

uemypmqf  于 2023-11-16  发布在  PHP
关注(0)|答案(4)|浏览(160)

我正在Laravel 5.1中为客户端构建一个应用程序。完成应用程序后,我得到了一个pentest报告,它告诉我添加一个HttpOnly标志。我在app/config/session.php中添加了'secure' => true和'http_only' => true。除了XSRF-TOKEN会话之外,所有会话都设置了httpOnly标志。我如何才能设置这个标志呢?

ntjbwcob

ntjbwcob1#

您可以覆盖App\Http\Middleware\VerifyCsrfToken中的addCookieToResponse($request,$response)方法

/**
 * Add the CSRF token to the response cookies.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \Illuminate\Http\Response  $response
 * @return \Illuminate\Http\Response
 */
protected function addCookieToResponse($request, $response)
{
    $response->headers->setCookie(
        new Cookie('XSRF-TOKEN',
            $request->session()->token(),
            time() + 60 * 120,
            '/',
            null,
            config('session.secure'),
            false)
    );

    return $response;
}

字符串
别忘了加上

use Symfony\Component\HttpFoundation\Cookie;

wwtsj6pe

wwtsj6pe2#

这是可以修复的。如果你只需要http作为令牌,请将此添加到VerifyCsrfToken中间件:

/**
 * Add the CSRF token to the response cookies.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \Symfony\Component\HttpFoundation\Response  $response
 * @return \Symfony\Component\HttpFoundation\Response
 */
protected function addCookieToResponse($request, $response)
{
    $config = config('session');

    $response->headers->setCookie(
        new Cookie(
            'XSRF-TOKEN', $request->session()->token(), $this->availableAt(60 * $config['lifetime']),
            $config['path'], $config['domain'], $config['secure'], true, false, $config['same_site'] ?? null
        )
    );

    return $response;
}

字符串

c9qzyr3d

c9qzyr3d3#

您必须在.env中使用

SESSION_DOMAIN=
SESSION_SECURE_COOKIE=true
SESSION_HTTP_ONLY=true
SESSION_SAME_SITE=strict

字符串

kpbwa7wx

kpbwa7wx4#

/**
 * Add the CSRF token to the response cookies.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \Symfony\Component\HttpFoundation\Response  $response
 * @return \Symfony\Component\HttpFoundation\Response
 */
protected function addCookieToResponse($request, $response)
{
    $config = config('session');

    $response->headers->setCookie(
        new Cookie(
            'XSRF-TOKEN', $request->session()->token(), $this->availableAt(60 * $config['lifetime']),
            $config['path'], $config['domain'], $config['secure'], true, false, $config['same_site'] ?? null
        )
    );

    return $response;
}

字符串

相关问题