Error after updating codeigniter 4 shield

[githaigamaina]

PHP Version

8.1.5

CodeIgniter4 Version

4.4.1

Shield Version

dev-develop 41fb00e

Which operating systems have you tested for this bug?

Linux

Which server did you use?

apache

Database

postgres 15

Did you customize Shield?

No

What happened?

CodeIgniter\Shield\Exceptions\SecurityException
Config\Security::$csrfProtection is set to 'cookie'. Same-site attackers may bypass the CSRF protection. Please set it to 'session'.
VENDORPATH\codeigniter4\shield\src\Authentication\Authenticators\Session.php at line 96

89 /
90 private function checkSecurityConfig(): void
91 {
92 /* @var Security $securityConfig */
93 $securityConfig = config('Security');
94
95 if ($securityConfig->csrfProtection === 'cookie') {
96 throw new SecurityException(
97 'Config\Security::$csrfProtection is set to 'cookie'.'
98 . ' Same-site attackers may bypass the CSRF protection.'
99 . ' Please set it to 'session'.'
100 );
101 }
102 }
103

Steps to Reproduce

After updating using composer update, the file VENDORPATH\codeigniter4\shield\src\Authentication\Authenticators\Session.php at line 96 from session to cookie

Expected Output

VENDORPATH\codeigniter4\shield\src\Authentication\Authenticators\Session.php should be if ($securityConfig->csrfProtection === 'session') {

Anything else?

no

[kenjis]

Config\Security::$csrfProtection is set to 'cookie'. Same-site attackers may bypass the CSRF protection. Please set it to 'session'.

See the step 4. in https://github.com/codeigniter4/shield/blob/develop/docs/getting_started/install.md#manual-setup

[githaigamaina]

if i run composer update , it will overwrite the file VENDORPATH\codeigniter4\shield\src\Authentication\Authenticators\Session.php
This line if ($securityConfig->csrfProtection === 'session') { will be set to if ($securityConfig->csrfProtection === 'cookie') {

[kenjis]

No, you must set it in your app/Config/Security.php.
See https://github.com/kenjis/ci4-shield-test/blob/7f62b06aca0bc9c9b6b61fd8f7ad2b369d540d5d/app/Config/Security.php#L18

[githaigamaina]

OK. I have changed it in the app/Config/Security.php. I will test with the next update. Thank you very much.

[sammyskills]

If you don't want to use config file, you can set the value in your .env file like so:

security.csrfProtection = 'session'

[kenjis]

I don't recommend you use .env in this case.
Because I can't imagine the situation that you need to use session in your development environment, but you need to use insecure cookie in your production environment.