Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Yii Session Cookie Handling

  • jelo
  • jelo's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
More
7 years 4 days ago #150116 by jelo
Yii Session Cookie Handling was created by jelo
Is the following the expected behavior?
Accessing an activated survey on demo.limesurvey.org
After finishing the survey.

Three cookies are set in the browser:
Name PHPSESSID
Value hrd747j4jmh2ipnhbbmb1aaj51
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly Yes

Name YII_CSRF_TOKEN
Value c84abb957a10959e77a188c4c0f0477d3048c217
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly No

Name userpermissions
Value false
Host demo.limesurvey.org
Path /
Expires At end of session
Secure No
HttpOnly No

Close Tab. Not Browser.
For testing the Cookie "YII_CSRF_TOKEN" is removed manually from the browser.
URL is entered again in a new tab without NEWTEST=Y.
After completing the survey the second time cookies found in browser are:

Name PHPSESSID
Value hrd747j4jmh2ipnhbbmb1aaj51
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly Yes

Name userpermissions
Value false
Host demo.limesurvey.org
Path /
Expires At end of session
Secure No
HttpOnly No

1. CSRF-Cookie was not recreated when entering the survey URL again in the new tab.
2. Survey could be finished (POST) without any error.

I would have expected that the CSRF-Cookie is recreated. But since that is not the case, I would than expect that a CSRF mismatch is triggered. Both is not the case. Is that the intended behavior?

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
7 years 2 days ago #150168 by DenisChenu
Replied by DenisChenu on topic Yii Session Cookie Handling
CSRF cookies are tested for each $_POST session, strange you don't have it after submitting.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose