csrf

[ledahu]

Hi

please, can you add csrf middleware on the skeleton ? I fail to implement it and think its a good exemple to understand Slim4 and ADR

thank you

[odan]

I think SameSite cookies will make CSRF obsolete in the long run. Therefore, I cannot and do not want to add (and support) it to the skeleton. Please try to install the slim/slim-csrf component instead.

[ledahu]

I added the samesite cookie param in your skeleton (from another skeleton) and i readed the link you suggest about samesite, but, its clearly mentioned that for a production website "all browers dont support samesite" so, for now, i think that its better to continue a bit with csrf . i agree for long term . So im gonna try again with slimphp/csrf

namespace App\Middleware;

use Psr\Http\Message\ResponseInterface; use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use Symfony\Component\HttpFoundation\Session\Session;

/**

• Session Middleware. */ final class SessionMiddleware implements MiddlewareInterface { /**

  • @var Session */ private $session;

  private $mysettings;

  /**

  • The constructor.
  • @param Session $session The session handler */ public function __construct(Session $session,$settings) { $this->session = $session; $this->mysettings= $settings; }

  /**

  • Invoke middleware.
  • @param ServerRequestInterface $request The request
  • @param RequestHandlerInterface $handler The handler

  • @return ResponseInterface The response */ public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface {

    if (ini_get('session.use_cookies')) { $ini_defs = session_get_cookie_params(); } session_set_cookie_params([ 'lifetime' => $this->mysettings['session_cookie_lifetime'], 'path' => $ini_defs['path'], 'domain' => $ini_defs['domain'], 'secure' => $this->mysettings['session_cookie_secure'], 'httponly' => $this->mysettings['session_cookie_httponly'], 'samesite' => $this->mysettings['session_cookie_samesite'], ]);

    $this->session->start();

    return $handler->handle($request); } }

container

SessionMiddleware::class => function (ContainerInterface $container) {
    $sessionSet=$container->get('settings')['php'];
    return new SessionMiddleware($container->get(SessionInterface::class),$sessionSet);
},

settings :

`$settings['php'] = [

/**
 * Session cookies configuration (consumed by the @see
 * SessionMiddleware). Changing these defaults may compromise
 * security (i.e. break CSRF protection). See
 * @link https://scotthelme.co.uk/csrf-is-really-dead/.
 */
'session_cookie_lifetime' => 600,
'session_cookie_secure' => true,
'session_cookie_httponly' => true,
'session_cookie_samesite' => 'Lax'

];`

[odan]

Ok this is fine :-)

Just a tip. You can configure the lifetime of session cookies by specifying the lifetime (in seconds) using the cookie_lifetime key in the constructor’s $options argument in \Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage.

https://symfony.com/doc/current/components/http_foundation/session_configuration.html#session-cookie-lifetime