Yii Session Cookie Handling

More
9 months 2 days ago #150116 by jelo
jelo created the topic: Yii Session Cookie Handling
Is the following the expected behavior?
Accessing an activated survey on Demo.limesurvey.org
After finishing the survey.

Three cookies are set in the browser:
Name PHPSESSID
Value hrd747j4jmh2ipnhbbmb1aaj51
Host Demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly Yes

Name YII_CSRF_TOKEN
Value c84abb957a10959e77a188c4c0f0477d3048c217
Host Demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly No

Name userpermissions
Value false
Host Demo.limesurvey.org
Path /
Expires At end of session
Secure No
HttpOnly No

Close Tab. Not Browser.
For testing the Cookie "YII_CSRF_TOKEN" is removed manually from the browser.
URL is entered again in a new tab without NEWTEST=Y.
After completing the survey the second time cookies found in browser are:

Name PHPSESSID
Value hrd747j4jmh2ipnhbbmb1aaj51
Host Demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly Yes

Name userpermissions
Value false
Host Demo.limesurvey.org
Path /
Expires At end of session
Secure No
HttpOnly No

1. CSRF-Cookie was not recreated when entering the survey URL again in the new tab.
2. Survey could be finished (POST) without any error.

I would have expected that the CSRF-Cookie is recreated. But since that is not the case, I would than expect that a CSRF mismatch is triggered. Both is not the case. Is that the intended behavior?

Please Log in to join the conversation.

More
9 months 17 hours ago #150168 by DenisChenu
DenisChenu replied the topic: Yii Session Cookie Handling
CSRF cookies are tested for each $_POST session, strange you don't have it after submitting.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!