MobileDetectBundle icon indicating copy to clipboard operation
MobileDetectBundle copied to clipboard

Published 20 hours ago verified publisher icon suncat2000

device_view cookie does not respect framework cookie configuration

Open tina-junold opened this issue 7 years ago • 7 comments

The device_view cookie should respect (and use) the "cookie-*" and "httponly" parameters, since currently it lowers security. The cookie is allowed also for http, but my (server/symfony) configuration does not allow it: Mozilla Observatory - "Cookies set without using the Secure flag, but transmission over HTTP prevented by HSTS"

tina-junold avatar Mar 26 '17 23:03 tina-junold

I just had this flagged from a security scan as an issue and have had to remove this bundle from my project, unfortunately. Is there a workaround to force the device_view cookie to be secure?

OneWeb avatar Apr 06 '18 08:04 OneWeb

Which settings are you talking about? Can you show an example?

xabbuh avatar Apr 06 '18 09:04 xabbuh

Sure, it's part of Symfony's framework config for sessions:

https://symfony.com/doc/3.4/reference/configuration/framework.html#cookie-secure

and

https://symfony.com/doc/3.4/reference/configuration/framework.html#cookie-httponly

OneWeb avatar Apr 08 '18 19:04 OneWeb

That's the expected behaviour. The configuration setting you linked to is not taken into account for all cookies but only affects the session cookie. See symfony/symfony#26731 for a similar feature request in the Symfony core.

xabbuh avatar Apr 09 '18 08:04 xabbuh

Thanks for pointing this out, I was not aware. Is there a way to make the cookie secure on this MobileDetectBundle?

OneWeb avatar Apr 09 '18 09:04 OneWeb

You can create your own event listener that modifies the cookie accordingly.

xabbuh avatar Apr 09 '18 10:04 xabbuh

Why not setting the const COOKIE_SECURE_DEFAULT = true; in the Helper/DeviceView.php file?

ghost avatar Mar 14 '19 11:03 ghost