odan / slim4-skeleton

A Slim 4 Skeleton
https://odan.github.io/slim4-skeleton/
MIT License
449 stars 80 forks source link

csrf #28

Closed ledahu closed 4 years ago

ledahu commented 4 years ago

Hi

please, can you add csrf middleware on the skeleton ? I fail to implement it and think its a good exemple to understand Slim4 and ADR

thank you

odan commented 4 years ago

I think SameSite cookies will make CSRF obsolete in the long run. Therefore, I cannot and do not want to add (and support) it to the skeleton. Please try to install the slim/slim-csrf component instead.

ledahu commented 4 years ago

I added the samesite cookie param in your skeleton (from another skeleton) and i readed the link you suggest about samesite, but, its clearly mentioned that for a production website "all browers dont support samesite" so, for now, i think that its better to continue a bit with csrf . i agree for long term . So im gonna try again with slimphp/csrf

namespace App\Middleware;

use Psr\Http\Message\ResponseInterface; use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use Symfony\Component\HttpFoundation\Session\Session;

/**

container

SessionMiddleware::class => function (ContainerInterface $container) {
    $sessionSet=$container->get('settings')['php'];
    return new SessionMiddleware($container->get(SessionInterface::class),$sessionSet);
},

settings :

`$settings['php'] = [

/**
 * Session cookies configuration (consumed by the @see
 * SessionMiddleware). Changing these defaults may compromise
 * security (i.e. break CSRF protection). See
 * @link https://scotthelme.co.uk/csrf-is-really-dead/.
 */
'session_cookie_lifetime' => 600,
'session_cookie_secure' => true,
'session_cookie_httponly' => true,
'session_cookie_samesite' => 'Lax'

];`

odan commented 4 years ago

Ok this is fine :-)

Just a tip. You can configure the lifetime of session cookies by specifying the lifetime (in seconds) using the cookie_lifetime key in the constructor’s $options argument in \Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage.

https://symfony.com/doc/current/components/http_foundation/session_configuration.html#session-cookie-lifetime