Level 50
edit expire_on_close in config/session.php and set it to true
'expire_on_close' => true,
1 like
Sep 11, 2023
12
Level 2
How to set the Cookie Expire value and XSRF-TOKEN value as Session ?
Dear Friends, I am using Laravel 10, apache 2.4.53 , RHEL Server, PHP 8.2 . I am not explicitely use Cookies in my web site. As part of Security audit , the team advise to change the "Cookie Expire/Max age" value as "session". My console cookie shown as [img] https://i.imgur.com/aMULmo7.png [/img]
my required value as shown [img]https://i.imgur.com/bcxZcem.png[/img]
Please advise ASAP
Thanks
Anes P A
Level 2
@s4muel I tried it but it's not changing.
1 like
Level 122
@insight You have to clear config cache (or re-cache)
1 like
Level 2
@Snapey Now I got error as
Symfony\Component\HttpFoundation\InputBag::get(): Argument #1 ($key) must be of type string, array given, called in /var/www/html/ksitmCareers/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php on line 160
Please help
1 like
Level 50
@insight have you changed something else too? StartSession.php on line 160 should just get the name of the session cookie. check the cookie value in your config/session.php, should be a string. or use php artisan tinker and execute config('session.cookie') to be sure, what it is
Level 2
Level 50
@insight shouldn't be suicidal in any way. if it is, something is wrong in your setup (config/permissions/etc)
Level 2
Dear Friends , I found a solution , by adding the below code in httpd.conf
Header always set Set-Cookie "laravel_session=Session; path=/; HttpOnly; SameSite=Lax"
Header always set Set-Cookie "XSRF-TOKEN=Session; path=/; HttpOnly; SameSite=Lax"
but that code shows Page Expired error when try to login.
Please advise what else could help to solve value of laravel_session,XSRF-TOKEN value to set "Session".
Thanks
Anes P A
Level 50
@insight that is not a solution at all. first - it does not work, does it? second - please do not do that. if i get that correctly, in that case you set the laravel_session and XSRF-TOKEN value to Session, of course it doesnt work, because the cookies are used to differentiate sessions for users, not to be the exact same value for everyone. you do not want the "value" of the cookie to be 'Session', but the cookie "expiration/max age".
i gave you the solution, here it is again: set the expire on close value to true ('expire_on_close' => true) in your config
Level 2
@s4muel But that solution not works!!!
Level 14
@insight It is a solution but you ignore it because you get an error. Solve the error and you got your solution.
If you think clearing cache is suicidal then you REALLY have to check your application...
1 like
Level 50
- backup your cached configs (as you previously did)
- do not change anything in your config yet
- run
php artisan config:cache(if you have no extended acl set up, run this with a user with permissions to corresponding folders, probablywww-datauser, sosudo -u www-data php artisan config:cache) - try if everything works, last time you broke the universe. if this happens again, you need to find a cause and fix that first - this is a crucial step!
- if everything works fine, edit the config as mentioned in my previous replies
- cache the config again as in step 3 above
- now you have exactly what you want (cookies with the "session" expiration)
Please or to participate in this conversation.