@ -332,11 +332,6 @@ examples, the [[yii\web\Cookie]] class also defines other properties to fully re
information, such as [[yii\web\Cookie::domain|domain]], [[yii\web\Cookie::expire|expire]]. You may configure these
properties as needed to prepare a cookie and then add it to the response's cookie collection.
> Note: For better security, the default value of [[yii\web\Cookie::httpOnly]] is set to `true` . This helps mitigate
the risk of a client-side script accessing the protected cookie (if the browser supports it). You may read
the [httpOnly wiki article ](https://www.owasp.org/index.php/HttpOnly ) for more details.
### Cookie Validation < span id = "cookie-validation" > < / span >
When you are reading and sending cookies through the `request` and `response` components as shown in the last
@ -369,3 +364,34 @@ return [
> Info: [[yii\web\Request::cookieValidationKey|cookieValidationKey]] is critical to your application's security.
It should only be known to people you trust. Do not store it in the version control system.
## Security settings
Both [[yii\web\Cookie]] and [[yii\web\Session]] support the following security flags:
### httpOnly
For better security, the default value of [[yii\web\Cookie::httpOnly]] and the 'httponly' parameter of
[[yii\web\Session::cookieParams]] is set to `true` . This helps mitigate the risk of a client-side script accessing
the protected cookie (if the browser supports it).
You may read the [HttpOnly wiki article ](https://www.owasp.org/index.php/HttpOnly ) for more details.
### secure
The purpose of the secure flag is to prevent cookies from being send in clear text. If the browser supports the
secure flag it will only include the cookie when the request is sent over a secure (TLS) connection.
You may read the [SecureFlag wiki article ](https://www.owasp.org/index.php/SecureFlag ) for more details.
### sameSite
Starting with Yii 2.0.21 the [[yii\web\Cookie::sameSite]] setting is supported. It requires PHP version 7.3.0 or higher.
The purpose of the `sameSite` setting is to prevent CSRF (Cross-Site Request Forgery) attacks.
If the browser supports the `sameSite` setting it will only include the cookie according to the specified policy ('Lax' or 'Strict').
You may read the [SameSite wiki article ](https://www.owasp.org/index.php/SameSite ) for more details.
For better security, an exception will be thrown if `sameSite` is used with an unsupported version of PHP.
To use this feature across different PHP versions check the version first. E.g.
```php
[
'sameSite' => PHP_VERSION_ID >= 70300 ? yii\web\Cookie::SAME_SITE_LAX : null,
]
```
> Note: Since not all browsers support the `sameSite` setting yet, it is still strongly recommended to also include
[additional CSRF protection ](security-best-practices.md#avoiding-csrf ).