Replies: 6 comments 1 reply
-
All cokies are automatically set to secure, if it's enabled and value is not given explicitly to setCookie() call Line 261 in a0d4f7c It is also enabled by default by HttpExtension (key http:
cookieSecure: auto # same as default |
Beta Was this translation helpful? Give feedback.
-
Thank you for the reply. I do not use the framework, but Nette Forms stand-alone. When csrf-protection is added, then a not secure _nss-cookie is set. $form = new Form();
$form->addProtection(); |
Beta Was this translation helpful? Give feedback.
-
Hmm, you are right. I think you could work around that this way: $form = new \Nette\Forms\Form();
// <workaround>
$form->httpRequest = $request = (new \Nette\Http\RequestFactory)->fromGlobals();
$response = new \Nette\Http\Response();
$response->cookieSecure = true;
\Nette\Http\Helpers::initCookie($request, $response);
// </workaround>
$form->addProtection(); Not very clear, but afaik should work. |
Beta Was this translation helpful? Give feedback.
-
Thanks for the tip. What request-object can I use as first parameter in \Nette\Http\Helpers::initCookie(self::$defaultHttpRequest, $response); |
Beta Was this translation helpful? Give feedback.
-
Awesome, it works! |
Beta Was this translation helpful? Give feedback.
-
Fixed in nette/forms |
Beta Was this translation helpful? Give feedback.
-
When running IDS-scans of my site, it returns the message that the _nss (nette same-site)-cookie is not secure.
Would it be possible to make it secure?
https://github.com/nette/http/blob/master/src/Http/Helpers.php#L57
Beta Was this translation helpful? Give feedback.
All reactions