We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

SameSite Tag Cookie override phalcon class

Hi, i saw that exist an attribute called "SameSite" for cookies, it prevent attacks based in CSRF, is compatible with chrome and firefox, but phalcon dont implement it.

Here have more information about it: https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/

I would like a little help, for implement it in a override of the cookie class.

A regards and thanks in advance.



85.5k

i am gonna go ahead and make a bold statment that you dont need this. Phalcon has https://docs.phalcon.io/hu/3.3/security#csrf you can use it instead, keep in mind that ajax request are hard to cross site check, but at the end, you dont really need to.

I feel like people are taking this csrf too seriously. I still think that a re-cacpha ( by google ) is far the best solution. I use this kind of stuff, only on my login/registration/ forgotten pass pages.