Is the following the expected behavior?
Accessing an activated survey on demo.limesurvey.org
After finishing the survey.
Three cookies are set in the browser:
Name PHPSESSID
Value hrd747j4jmh2ipnhbbmb1aaj51
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly Yes
Name YII_CSRF_TOKEN
Value c84abb957a10959e77a188c4c0f0477d3048c217
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly No
Name userpermissions
Value false
Host demo.limesurvey.org
Path /
Expires At end of session
Secure No
HttpOnly No
Close Tab. Not Browser.
For testing the Cookie "YII_CSRF_TOKEN" is removed manually from the browser.
URL is entered again in a new tab without NEWTEST=Y.
After completing the survey the second time cookies found in browser are:
Name PHPSESSID
Value hrd747j4jmh2ipnhbbmb1aaj51
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly Yes
Name userpermissions
Value false
Host demo.limesurvey.org
Path /
Expires At end of session
Secure No
HttpOnly No
1. CSRF-Cookie was not recreated when entering the survey URL again in the new tab.
2. Survey could be finished (POST) without any error.
I would have expected that the CSRF-Cookie is recreated. But since that is not the case, I would than expect that a CSRF mismatch is triggered. Both is not the case. Is that the intended behavior?
CSRF cookies are tested for each $_POST session, strange you don't have it after submitting.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. -
Professional support
-
Plugins, theme and development
. I don't answer to private message.