device_view cookie does not respect framework cookie configuration #106
Comments
|
I just had this flagged from a security scan as an issue and have had to remove this bundle from my project, unfortunately. Is there a workaround to force the device_view cookie to be secure? |
|
Which settings are you talking about? Can you show an example? |
|
Sure, it's part of Symfony's framework config for sessions: https://symfony.com/doc/3.4/reference/configuration/framework.html#cookie-secure and https://symfony.com/doc/3.4/reference/configuration/framework.html#cookie-httponly |
|
That's the expected behaviour. The configuration setting you linked to is not taken into account for all cookies but only affects the session cookie. See symfony/symfony#26731 for a similar feature request in the Symfony core. |
|
Thanks for pointing this out, I was not aware. Is there a way to make the cookie secure on this MobileDetectBundle? |
|
You can create your own event listener that modifies the cookie accordingly. |
|
Why not setting the |
The device_view cookie should respect (and use) the "cookie-*" and "httponly" parameters, since currently it lowers security. The cookie is allowed also for http, but my (server/symfony) configuration does not allow it: Mozilla Observatory - "Cookies set without using the Secure flag, but transmission over HTTP prevented by HSTS"
The text was updated successfully, but these errors were encountered: