Open tina-junold opened 7 years ago
OneWeb
commented
6 years ago I just had this flagged from a security scan as an issue and have had to remove this bundle from my project, unfortunately. Is there a workaround to force the device_view cookie to be secure?
xabbuh
commented
6 years ago Which settings are you talking about? Can you show an example?
OneWeb
commented
6 years ago Sure, it's part of Symfony's framework config for sessions:
https://symfony.com/doc/3.4/reference/configuration/framework.html#cookie-secure
and
https://symfony.com/doc/3.4/reference/configuration/framework.html#cookie-httponly
xabbuh
commented
6 years ago That's the expected behaviour. The configuration setting you linked to is not taken into account for all cookies but only affects the session cookie. See symfony/symfony#26731 for a similar feature request in the Symfony core.
OneWeb
commented
6 years ago Thanks for pointing this out, I was not aware. Is there a way to make the cookie secure on this MobileDetectBundle?
xabbuh
commented
6 years ago You can create your own event listener that modifies the cookie accordingly.
ghost
commented
5 years ago Why not setting the const COOKIE_SECURE_DEFAULT = true; in the Helper/DeviceView.php file?
The device_view cookie should respect (and use) the "cookie-*" and "httponly" parameters, since currently it lowers security. The cookie is allowed also for http, but my (server/symfony) configuration does not allow it: Mozilla Observatory - "Cookies set without using the Secure flag, but transmission over HTTP prevented by HSTS"