Set httpOnly flag for CSRF token in Laravel

Guido Rus picture Guido Rus · Nov 23, 2015 · Viewed 10k times · Source

I'm building an application in Laravel 5.1 for a client. After I finished the application I got back an pentest report which tells me to add a HttpOnly flag. I added 'secure' => true and 'http_only' => true to app/config/session.php. The httpOnly flag is set for all sessions, except the XSRF-TOKEN session. How am I able to set this flag as well?

Answer

Stefan Riehl picture Stefan Riehl · Feb 10, 2016

You are able to overwrite the method addCookieToResponse($request, $response) in App\Http\Middleware\VerifyCsrfToken

/**
 * Add the CSRF token to the response cookies.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \Illuminate\Http\Response  $response
 * @return \Illuminate\Http\Response
 */
protected function addCookieToResponse($request, $response)
{
    $response->headers->setCookie(
        new Cookie('XSRF-TOKEN',
            $request->session()->token(),
            time() + 60 * 120,
            '/',
            null,
            config('session.secure'),
            false)
    );

    return $response;
}

And do not forget to add

use Symfony\Component\HttpFoundation\Cookie;