_nss-cookie is not secure

[eydun]

When running IDS-scans of my site, it returns the message that the _nss (nette same-site)-cookie is not secure.

Would it be possible to make it secure?

https://github.com/nette/http/blob/master/src/Http/Helpers.php#L57

[mabar]

All cokies are automatically set to secure, if it's enabled and value is not given explicitly to setCookie() call

http/src/Http/Response.php

Line 261 in a0d4f7c

'secure' => $secure ?? $this->cookieSecure,

It is also enabled by default by HttpExtension (key http in neon)

http:
	cookieSecure: auto # same as default

[eydun]

Thank you for the reply.

I do not use the framework, but Nette Forms stand-alone.

When csrf-protection is added, then a not secure _nss-cookie is set.

        $form = new Form();
        $form->addProtection();

[mabar]

Hmm, you are right. I think you could work around that this way:

$form = new \Nette\Forms\Form();
// <workaround>
$form->httpRequest = $request = (new \Nette\Http\RequestFactory)->fromGlobals();
$response = new \Nette\Http\Response();
$response->cookieSecure = true;
\Nette\Http\Helpers::initCookie($request, $response);
// </workaround>
$form->addProtection();

Not very clear, but afaik should work.

[eydun]

Thanks for the tip.

What request-object can I use as first parameter in initCookie, when using Nette Forms stand-alone?

\Nette\Http\Helpers::initCookie(self::$defaultHttpRequest, $response);

[mabar]

Bit of an oversight from me, look at the updated example

[eydun]

Awesome, it works!

[dg]

Fixed in nette/forms