PHP Version
8.1.5
CodeIgniter4 Version
4.4.1
Shield Version
dev-develop 41fb00e
Which operating systems have you tested for this bug?
Linux
Which server did you use?
apache
Database
postgres 15
Did you customize Shield?
No
What happened?
CodeIgniter\Shield\Exceptions\SecurityException
Config\Security::$csrfProtection is set to 'cookie'. Same-site attackers may bypass the CSRF protection. Please set it to 'session'.
VENDORPATH\codeigniter4\shield\src\Authentication\Authenticators\Session.php at line 96
89 /
90 private function checkSecurityConfig(): void
91 {
92 /* @var Security $securityConfig */
93 $securityConfig = config('Security');
94
95 if ($securityConfig->csrfProtection === 'cookie') {
96 throw new SecurityException(
97 'Config\Security::$csrfProtection is set to 'cookie'.'
98 . ' Same-site attackers may bypass the CSRF protection.'
99 . ' Please set it to 'session'.'
100 );
101 }
102 }
103
Steps to Reproduce
After updating using composer update, the file VENDORPATH\codeigniter4\shield\src\Authentication\Authenticators\Session.php at line 96 from session to cookie
Expected Output
VENDORPATH\codeigniter4\shield\src\Authentication\Authenticators\Session.php should be if ($securityConfig->csrfProtection === 'session') {
Anything else?
no
PHP Version
8.1.5
CodeIgniter4 Version
4.4.1
Shield Version
dev-develop 41fb00e
Which operating systems have you tested for this bug?
Linux
Which server did you use?
apache
Database
postgres 15
Did you customize Shield?
No
What happened?
CodeIgniter\Shield\Exceptions\SecurityException
Config\Security::$csrfProtection is set to 'cookie'. Same-site attackers may bypass the CSRF protection. Please set it to 'session'.
VENDORPATH\codeigniter4\shield\src\Authentication\Authenticators\Session.php at line 96
89 /
90 private function checkSecurityConfig(): void
91 {
92 /* @var Security $securityConfig */
93 $securityConfig = config('Security');
94
95 if ($securityConfig->csrfProtection === 'cookie') {
96 throw new SecurityException(
97 'Config\Security::$csrfProtection is set to 'cookie'.'
98 . ' Same-site attackers may bypass the CSRF protection.'
99 . ' Please set it to 'session'.'
100 );
101 }
102 }
103
Steps to Reproduce
After updating using composer update, the file VENDORPATH\codeigniter4\shield\src\Authentication\Authenticators\Session.php at line 96 from session to cookie
Expected Output
VENDORPATH\codeigniter4\shield\src\Authentication\Authenticators\Session.php should be if ($securityConfig->csrfProtection === 'session') {
Anything else?
no