VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 12, 2022· Updated Apr 22, 2025

SameSite may allow cross-site request forgery (CSRF) protection to be bypassed

CVE-2022-35943

Description

Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., https://a.example.com/) of the target site (e.g., http://example.com/). Upgrade to CodeIgniter v4.2.3 or later and Shield v1.0.0-beta.2 or later. As a workaround: set Config\Security::$csrfProtection to 'session,'remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
codeigniter4/shieldPackagist
>= 1.0.0-beta, < 1.0.0-beta.21.0.0-beta.2

Affected products

1

Patches

1
342a36853667

Merge pull request from GHSA-5hm8-vh6r-2cjq

https://github.com/codeigniter4/shieldMGatnerAug 7, 2022via ghsa
commit
7 files changed · +48 4
  • composer.json+1 1 modified
    @@ -23,7 +23,7 @@
     },
     "require-dev": {
         "codeigniter4/devkit": "^1.0",
-        "codeigniter4/framework": "^4.1",
+        "codeigniter4/framework": "^4.2.3",
         "mockery/mockery": "^1.0"
     },
     "provide": {
  • docs/install.md+6 0 modified
    @@ -12,6 +12,12 @@
 
 These instructions assume that you have already [installed the CodeIgniter 4 app starter](https://codeigniter.com/user_guide/installation/installing_composer.html) as the basis for your new project, set up your `.env` file, and created a database that you can access via the Spark CLI script.
 
+> **Note**
+> CodeIgniter Shield requires Codeigniter v4.2.3 or later.
+
+> **Note**
+> You must set ``Config\Security::$csrfProtection`` to `'session'` (or set `security.csrfProtection = session` in your `.env` file) for security reasons, if you use Session Authenticator.
+
 Installation is done through [Composer](https://getcomposer.org). The example assumes you have it installed globally.
 If you have it installed as a phar, or othewise you will need to adjust the way you call composer itself.
  • README.md+1 1 modified
    @@ -35,7 +35,7 @@ access for a mobile application that you build.
 
 Usage of Shield requires the following:
 
-- A [CodeIgniter 4](https://github.com/codeigniter4/CodeIgniter4/)-based project
+- A [CodeIgniter 4.2.3+](https://github.com/codeigniter4/CodeIgniter4/) based project
 - [Composer](https://getcomposer.org/) for package management
 - PHP 7.4.3+
  • src/Authentication/Authenticators/Session.php+26 1 modified
    @@ -15,11 +15,14 @@
 use CodeIgniter\Shield\Entities\UserIdentity;
 use CodeIgniter\Shield\Exceptions\InvalidArgumentException;
 use CodeIgniter\Shield\Exceptions\LogicException;
+use CodeIgniter\Shield\Exceptions\SecurityException;
 use CodeIgniter\Shield\Models\LoginModel;
 use CodeIgniter\Shield\Models\RememberModel;
 use CodeIgniter\Shield\Models\UserIdentityModel;
 use CodeIgniter\Shield\Models\UserModel;
 use CodeIgniter\Shield\Result;
+use Config\Security;
+use Config\Services;
 use stdClass;
 
 class Session implements AuthenticatorInterface
@@ -72,6 +75,25 @@ public function __construct(UserModel $provider)
         $this->loginModel        = model(LoginModel::class);
         $this->rememberModel     = model(RememberModel::class);
         $this->userIdentityModel = model(UserIdentityModel::class);
+
+        $this->checkSecurityConfig();
+    }
+
+    /**
+     * Checks less secure Configuration.
+     */
+    private function checkSecurityConfig(): void
+    {
+        /** @var Security $securityConfig */
+        $securityConfig = config('Security');
+
+        if ($securityConfig->csrfProtection === 'cookie') {
+            throw new SecurityException(
+                'Config\Security::$csrfProtection is set to \'cookie\'.'
+                . ' Same-site attackers may bypass the CSRF protection.'
+                . ' Please set it to \'session\'.'
+            );
+        }
     }
 
     /**
@@ -567,7 +589,10 @@ public function startLogin(User $user): void
 
         // Regenerate the session ID to help protect against session fixation
         if (ENVIRONMENT !== 'testing') {
-            session()->regenerate();
+            session()->regenerate(true);
+
+            // Regenerate CSRF token even if `security.regenerate = false`.
+            Services::security()->generateHash();
         }
 
         // Let the session know we're logged in
  • src/Exceptions/SecurityException.php+9 0 added
    @@ -0,0 +1,9 @@
+<?php
+
+namespace CodeIgniter\Shield\Exceptions;
+
+use RuntimeException;
+
+class SecurityException extends RuntimeException
+{
+}
  • tests/Controllers/RegisterTest.php+0 1 modified
    @@ -30,7 +30,6 @@ protected function setUp(): void
         parent::setUp();
 
         helper('auth');
-        Factories::reset();
 
         // Add auth routes
         $routes = service('routes');
  • tests/_support/TestCase.php+5 0 modified
    @@ -33,5 +33,10 @@ protected function setUp(): void
         $config          = config('Auth');
         $config->actions = ['login' => null, 'register' => null];
         Factories::injectMock('config', 'Auth', $config);
+
+        // Set Config\Security::$csrfProtection to 'session'
+        $config                 = config('Security');
+        $config->csrfProtection = 'session';
+        Factories::injectMock('config', 'Security', $config);
     }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.