Skip to content

Y
yii2
Commit 7ae72a94 by Qiang Xue
Options

improved doc. [skip ci]

parent 8b3b6b4e
Showing with 11 additions and 3 deletions
docs/guide/runtime-sessions-cookies.md
...@@ -288,16 +288,24 @@ examples, the [[yii\web\Cookie]] class also defines other properties to fully re ...@@ -288,16 +288,24 @@ examples, the [[yii\web\Cookie]] class also defines other properties to fully re
of cookies, such as [[yii\web\Cookie::domain|domain]], [[yii\web\Cookie::expire|expire]]. You may configure these of cookies, such as [[yii\web\Cookie::domain|domain]], [[yii\web\Cookie::expire|expire]]. You may configure these
properties as needed to prepare a cookie and then add it to the response's cookie collection. properties as needed to prepare a cookie and then add it to the response's cookie collection.
> Note: For better security, the default value of [[yii\web\Cookie::httpOnly]] is set true. This helps mitigate
the risk of client side script accessing the protected cookie (if the browser supports it). You may read
the [httpOnly wiki article](https://www.owasp.org/index.php/HttpOnly) for more details.
### Cookie Validation <a name="cookie-validation"></a> ### Cookie Validation <a name="cookie-validation"></a>
When you are reading and sending cookies through the `request` and `response` components like shown in the last When you are reading and sending cookies through the `request` and `response` components like shown in the last
two subsections, you enjoy the added security of cookie validation which protects cookies from being modified two subsections, you enjoy the added security of cookie validation which protects cookies from being modified
on the client side. This is achieved by signing each cookie with a hash string. If a cookie is modified somehow, on the client side. This is achieved by signing each cookie with a hash string, which allows the application to
it will fail the validation of its associated hash and will be removed from the cookie collection in the request. tell if a cookie is modified on the client side or not. If so, the cookie will NOT be accessible through the
[[yii\web\Request::cookies|cookie collection]] of the `request` component.
> Info: If a cookie fails the validation, you may still access it through `$_COOKIE`. This is because third-party
libraries may manipulate cookies in their own way, which does not involve cookie validation.
Cookie validation is enabled by default. You can disable it by setting the [[yii\web\Request::enableCookieValidation]] Cookie validation is enabled by default. You can disable it by setting the [[yii\web\Request::enableCookieValidation]]
property to be false, although we recommend you not to do so. property to be false, although we strongly recommend you do not do so.
> Note: Cookies that are directly read/sent via `$_COOKIE` and `setcookie()` will NOT be validated. > Note: Cookies that are directly read/sent via `$_COOKIE` and `setcookie()` will NOT be validated.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment