Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stronger cookie default settings #4

Open
Benjamin-K opened this issue Oct 23, 2023 · 3 comments
Open

Stronger cookie default settings #4

Benjamin-K opened this issue Oct 23, 2023 · 3 comments

Comments

@Benjamin-K
Copy link
Contributor

Just asking before i create a PR:
Should we add stronger settings for the Production context to this package? I think sth. like the settings bellow should be the default in production. I kept the comments so someone who wants to have a different value can easily change it.

Neos:
  Flow:
    session:
      cookie:
        # Force SSL cookies.
        secure: true

        # The cookie samesite.
        # possible values: 'none', 'strict' and 'lax'
        samesite: 'strict'

      # Specifies the number of seconds a user must be idle before the session
      # automatically expires. If set to "0", a session will never expire
      # automatically.
      inactivityTimeout: 1440 # 24 minutes, Flow default is 1 hour

    http:
      # Defines the "application token" which is sent by in HTTP Response "X-Flow-Powered" headers.
      #
      # The value can be one of:
      #
      # - "Off" (no application token header is sent)
      # - "ApplicationName" (the application name only, determined via the Neos.Flow.core.applicationKey setting)
      # - "MajorVersion" (the application name + major version, e.g. "Neos/2"
      # - "MinorVersion" (the application name + minor version, e.g. "Neos/2.1"
      #
      applicationToken: 'Off'

    security:
      cryptography:
        BCryptHashingStrategy:
          # Cost of a BCrypt operation, can be between 4 and 31
          # The faster your machine is, the higher this number should be
          cost: 14 # This is the default, but as an overview of all security options, i'll add it here, too.
@sbruggmann
Copy link
Contributor

Hi @Benjamin-K
Thanks for your input!

For Flow.session.cookie.(secure|samesite) I'm full in.
Where do the 24 minutes come from and not just 1800?

The Flow.http.applicationToken I'd like to keep on "ApplicationName" because the system itself can usually be identified anyways and we as a community would affect the possibility for market share scanning.

I totally agree that applicationToken and security.cryptography.BCryptHashingStrategy.cost both need more attention like a hint. But I don't like to copy default values and existing comments.

@Benjamin-K
Copy link
Contributor Author

Hi @sbruggmann

Where do the 24 minutes come from and not just 1800?

the 24 minutes come from the PHP defaults. But i agree, that we could also use a value that's more in our default timings like 15 or 30 minutes (900 / 1800).

I also agree, that the Flow.http.applicationToken should not be removed completely to share the awesome work behind Flow and Neos.

I'm also fine, if we do not add Flow.http.security here, if we don't change a thing. Could be a small hint in the Readme, though, what do you think?

@sbruggmann
Copy link
Contributor

Hi @Benjamin-K

Sounds good 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sbruggmann @Benjamin-K