- Posts: 11
- Thank you received: 0
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
PHP Session vs CSRF Token
2 years 5 months ago #206765
by Dialogs
PHP Session vs CSRF Token was created by Dialogs
Hi,
When we add newtest=Y in the URL of a public survey, we forces a new PHP session. In this case, the cookie PHPSESSID is reset each time of a specifi user reload the URL. But, the cookie YII_CSRF_TOKEN is not reload in this case. Is it noramal? Can the fact that one of the two cookies is reset but not the other cause certain problems? For example, issues related to CSRF token could not be verified...
Thanks,
Alexandre
When we add newtest=Y in the URL of a public survey, we forces a new PHP session. In this case, the cookie PHPSESSID is reset each time of a specifi user reload the URL. But, the cookie YII_CSRF_TOKEN is not reload in this case. Is it noramal? Can the fact that one of the two cookies is reset but not the other cause certain problems? For example, issues related to CSRF token could not be verified...
Thanks,
Alexandre
The topic has been locked.
2 years 5 months ago - 2 years 5 months ago #206797
by jelo
The CSRF cookie is not just placed when you e.g. just enter ta survey. You will only see a PHPSESSID cookie (name depends on serversite setting), which will contain survey data. Which will be deleted when newtest=Y is used.
The purpose of the CSRF-Token is set, when you e.g. get a login screen for the backend. If you're logged in as a user, you wouldn't want to recreate the CSRF-Token when you just want to delete a survey response session.
The CSRF is not set when you enter the index page of LimeSurvey. But everywhere else to ensure every interaction between the browser and LimeSurvey is from just your browser.
The login screen is the easiest example to unterstand the difference between these two cookies.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Replied by jelo on topic PHP Session vs CSRF Token
I consider that normal.extract wrote: But, the cookie YII_CSRF_TOKEN is not reload in this case. Is it noramal?
The CSRF cookie is not just placed when you e.g. just enter ta survey. You will only see a PHPSESSID cookie (name depends on serversite setting), which will contain survey data. Which will be deleted when newtest=Y is used.
The purpose of the CSRF-Token is set, when you e.g. get a login screen for the backend. If you're logged in as a user, you wouldn't want to recreate the CSRF-Token when you just want to delete a survey response session.
The CSRF is not set when you enter the index page of LimeSurvey. But everywhere else to ensure every interaction between the browser and LimeSurvey is from just your browser.
The login screen is the easiest example to unterstand the difference between these two cookies.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Last edit: 2 years 5 months ago by jelo.
The following user(s) said Thank You: DenisChenu, Dialogs
The topic has been locked.