Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Yii Session Cookie Handling

More
6 years 6 days ago #150116 by jelo
Is the following the expected behavior?
Accessing an activated survey on demo.limesurvey.org
After finishing the survey.

Three cookies are set in the browser:
Name PHPSESSID
Value hrd747j4jmh2ipnhbbmb1aaj51
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly Yes

Name YII_CSRF_TOKEN
Value c84abb957a10959e77a188c4c0f0477d3048c217
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly No

Name userpermissions
Value false
Host demo.limesurvey.org
Path /
Expires At end of session
Secure No
HttpOnly No

Close Tab. Not Browser.
For testing the Cookie "YII_CSRF_TOKEN" is removed manually from the browser.
URL is entered again in a new tab without NEWTEST=Y.
After completing the survey the second time cookies found in browser are:

Name PHPSESSID
Value hrd747j4jmh2ipnhbbmb1aaj51
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly Yes

Name userpermissions
Value false
Host demo.limesurvey.org
Path /
Expires At end of session
Secure No
HttpOnly No

1. CSRF-Cookie was not recreated when entering the survey URL again in the new tab.
2. Survey could be finished (POST) without any error.

I would have expected that the CSRF-Cookie is recreated. But since that is not the case, I would than expect that a CSRF mismatch is triggered. Both is not the case. Is that the intended behavior?

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
More
6 years 4 days ago #150168 by DenisChenu
CSRF cookies are tested for each $_POST session, strange you don't have it after submitting.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose