Hi,


When we add newtest=Y in the URL of a public survey, we forces a new PHP session. In this case, the cookie PHPSESSID is reset each time of a specifi user reload the URL. But, the cookie YII_CSRF_TOKEN is not reload in this case. Is it noramal? Can the fact that one of the two cookies is reset but not the other cause certain problems? For example, issues related to CSRF token could not be verified...

Thanks,

Alexandre

extract wrote: But, the cookie YII_CSRF_TOKEN is not reload in this case. Is it noramal?

I consider that normal.

The CSRF cookie is not just placed when you e.g. just enter ta survey. You will only see a PHPSESSID cookie (name depends on serversite setting), which will contain survey data. Which will be deleted when newtest=Y is used.

The purpose of the CSRF-Token is set, when you e.g. get a login screen for the backend. If you're logged in as a user, you wouldn't want to recreate the CSRF-Token when you just want to delete a survey response session.
The CSRF is not set when you enter the index page of LimeSurvey. But everywhere else to ensure every interaction between the browser and LimeSurvey is from just your browser.

The login screen is the easiest example to unterstand the difference between these two cookies.

Thanks for your answer!