Sessions, Login Modals, and Secure Forms in ExpressionEngine 2.8
Security is one of our biggest concerns. However, all the security in the world
doesn’t matter if it’s not used correctly. So in ExpressionEngine 2.8 we are
making a few changes to ExpressionEngine’s security features to encourage good
First up is secure forms. Secure forms as a feature is commonly misunderstood,
but it is critically important. It could be more verbosely referred to as Cross-Site
Request Forgery (CSRF) protection. CSRF vulnerabilities are one of the most
common security problems on the web. In 2.7 we made some changes to move these
security checks out of add-ons and into EE proper. We tend to do things a little
more strictly than required even if it means a small hit to usability, but the
move highlighted just how strict we were. It was driving people to disable secure
forms entirely. In response, the 2.8 implementation is more in line with
industry standard CSRF protection, which should result in fewer submission errors.
Along with this change, the setting for secure forms has been removed from the
control panel. There is still a configuration override to disable it, but doing
so on new sites is strongly discouraged.
$config['disable_csrf_protection'] = 'y';
Next, we removed the session length configuration overrides. Looking at how
these were being used we realized that they were almost always set to extreme
values. For those of you who were setting them to very large numbers, please
consider using Remember Me instead. For anyone who has tried to set session
length to zero in hopes of getting a session that ends when the browser is
closed, you’ll be happy to hear that we’ve added a config override to do just
$config['expire_session_on_browser_close'] = 'y';
Lastly, the idle modal. The idle modal was added in 2.7 as a way to improve on
the existing dropdown and get better control panel security on public machines.
As a remote working company we spend a lot of time in coffee shops and libraries.
We see people leave devices unattended on a daily basis. However, this behavior
is not always desired on a home machine. Sometimes you want a session that lasts
a long time. So, in line with the recommendation to use Remember Me for long
lasting sessions, the login modal in ExpressionEngine 2.8 will no longer show if
Remember Me is checked. Additionally, it will only end the control panel session,
the front-end will behave as normal. And lastly, it will no longer redirect you
to the login screen, even if it is left open for several hours or even days.