Good practice for CSRF-safety after login?
- Marek Bartoš
- Nette Blogger | 1273
User login is by default stored in session. So just log in, it will be available in other presenters
- Nicolas_K
- Member | 25
It works.
I had to amend the configuration:
security:
authentication:
expiration: 20 minutes
storage: cookie
cookieName: mycookiename
cookieSamesite: Strict
cookieDomain: 'mydomain.local'
cookieSamesite: Lax
didn't change anything.
But cookieDomain: 'mydomain.local'
did.
(Behavior like stated here?: https://doc.nette.org/…onfiguration#… )
And: why is cookieHttpOnly
in Response deprecated?
(https://api.nette.org/…esponse.html
)
Is this feature replaced by another, that prevents handling with JS?
Last edited by Nicolas_K (2023-07-15 21:53)
- Marek Bartoš
- Nette Blogger | 1273
why is cookieHttpOnly in Response deprecated
All cookies are http-only by default and you can disable it for individual cookies.