Good practice for CSRF-safety after login?

about a year ago
Nicolas_K
Member | 25
+
0
-

Hello!

Where can I find info regarding CSRF?

Last edited by Nicolas_K (2023-07-15 00:54)

about a year ago
dkorpar
Member | 135
+
+1
-

https://doc.nette.org/…y-protection#…

about a year ago
Nicolas_K
Member | 25
+
0
-

Aah.. yeah! Thank you! .]

about a year ago
Nicolas_K
Member | 25
+
0
-

Ok – I changed my original question related to the answer.. :)

Here is a more serious question:
Starting from one presenter, I have a User with Identity.
How can I pass this to another presenter?
(So that I can ask if user->isLoggedIn() there..)

about a year ago
Marek Bartoš
Nette Blogger | 1261
+
0
-

User login is by default stored in session. So just log in, it will be available in other presenters

about a year ago
Nicolas_K
Member | 25
+
0
-

Thank you, Marek,
but now I have configured cookie storage…
Then what to do ?-

about a year ago
Marek Bartoš
Nette Blogger | 1261
+
0
-

Should be the same 🤷‍♂️

about a year ago
Nicolas_K
Member | 25
+
0
-

It works.
I had to amend the configuration:

security:
	authentication:
		expiration: 20 minutes
		storage: cookie
		cookieName: mycookiename
		cookieSamesite: Strict
		cookieDomain: 'mydomain.local'

cookieSamesite: Lax didn't change anything.
But cookieDomain: 'mydomain.local' did.
(Behavior like stated here?: https://doc.nette.org/…onfiguration#… )

And: why is cookieHttpOnly in Response deprecated?
(https://api.nette.org/…esponse.html )
Is this feature replaced by another, that prevents handling with JS?

Last edited by Nicolas_K (2023-07-15 21:53)

about a year ago
Marek Bartoš
Nette Blogger | 1261
+
+1
-

why is cookieHttpOnly in Response deprecated

All cookies are http-only by default and you can disable it for individual cookies.

about a year ago
Nicolas_K
Member | 25
+
0
-

Thank you very much, Marek!
Again, some fog is blowing away.. !-))