PHP Session vs CSRF Token

More
4 days 10 hours ago #206765 by extract
Hi,


When we add newtest=Y in the URL of a public survey, we forces a new PHP session. In this case, the cookie PHPSESSID is reset each time of a specifi user reload the URL. But, the cookie YII_CSRF_TOKEN is not reload in this case. Is it noramal? Can the fact that one of the two cookies is reset but not the other cause certain problems? For example, issues related to CSRF token could not be verified...

Thanks,

Alexandre

Please Log in to join the conversation.

LimeSurvey Partners
More
2 days 21 hours ago - 2 days 21 hours ago #206797 by jelo
Replied by jelo on topic PHP Session vs CSRF Token

extract wrote: But, the cookie YII_CSRF_TOKEN is not reload in this case. Is it noramal?

I consider that normal.

The CSRF cookie is not just placed when you e.g. just enter ta survey. You will only see a PHPSESSID cookie (name depends on serversite setting), which will contain survey data. Which will be deleted when newtest=Y is used.

The purpose of the CSRF-Token is set, when you e.g. get a login screen for the backend. If you're logged in as a user, you wouldn't want to recreate the CSRF-Token when you just want to delete a survey response session.
The CSRF is not set when you enter the index page of LimeSurvey. But everywhere else to ensure every interaction between the browser and LimeSurvey is from just your browser.

The login screen is the easiest example to unterstand the difference between these two cookies.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Last edit: 2 days 21 hours ago by jelo.
The following user(s) said Thank You: DenisChenu, extract

Please Log in to join the conversation.

More
1 day 14 hours ago #206853 by extract
Replied by extract on topic PHP Session vs CSRF Token
Thanks for your answer!

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now