How to implement in forms?

[xkpx64]

I didn't see anywhere how to implement this only in forms ? I read the whole doc And check the src found this ob_handler but this only rewrite body to add noscript and in bottom 2 hiddenfields?

// TODO: statically rewrite all forms as well so that if a form is submitted
            // before the js has worked on, it will still have token to send
            // @priority: medium @labels: important @assign: mebjas
            // @deadline: 1 week```

[xkpx64]

Also why there isn't option for SameSite lax/strict setup in cookie

[xkpx64]

For everyone who want samesame in cookie settings and httponly in csfrpCookieConfig.php add

if (isset($cfg['httponly'])) {
                    $this->httponly = (bool) $cfg['httponly'];
                }
				if (isset($cfg['samesite']) && $cfg['samesite']) {
                    $this->samesite = $cfg['samesite'];
                } 

and in csfrpprotector.php find setcookie

setcookie(
				self::$config['CSRFP_TOKEN'], 
				$token, 
				[
					'expires' => time() + self::$cookieConfig->expire,
					'path' => self::$cookieConfig->path,
					'domain' => self::$cookieConfig->domain, 
					'secure' => (bool) self::$cookieConfig->secure,
					'httponly' => (bool) self::$cookieConfig->httponly,
					'samesite' => self::$cookieConfig->samesite,
				]
			);

Now in config.php you can add this two fields in cookieConfig array

"cookieConfig" => array(
		"httponly" => true, 
		"samesite" => 'Lax' # None || Lax  || Strict
    ),

[akashmmcode]

can someone help me with a guide on how to implement it in forms?

[CassadyCampos]

What came out of this? Is there something set up for forms or is it a manual process?

[CassadyCampos]

Ah nevermind. I see that it is set up to inject a hidden input field containing the CSRF token in the forms.