Improving Cookie Security

Defending your browser from CSRF attacks

To defend your browser from cross-site request forgery (CSRF) attacks , you can add a cookie same-site setting to FileCloud.

The cookie same-site value can be set to the following, as stated in the MDN Web Docs site at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite:

  • Lax - Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).
  • Strict - Cookies will only be sent in a first-party context and not be sent along with requests initiated by third-party websites.
  • None - Cookies will be sent in all contexts, i.e. in responses to both first-party and cross-origin requests. If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).
    To set the Secure attribute, see Adding httponly and secure flags, below.

For more information, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite.

To specify a cookie same-site value:

  1. Open cloudconfig.php:
    Windows Location: XAMPP DIRECTORY/htdocs/config/cloudconfig.php
    Linux Location: /var/www/config/cloudconfig.php
    • To set the cookie same-site setting to strict, add:

      define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "Strict");
    • To set the cookie same-site setting to lax (the default), add:

      define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "Lax");
    • To set the cookie same-site setting to none, add:

      define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");

Adding httponly and secure flags

You can take additional steps to make your cookies secure from external attacks by adding httponly and secure flags when sending cookies through HTTP headers.

What do httponly and secure flags do?

  • A cookie can be accessed through http or through client-side Javascript. An httponly flag blocks access to a cookie from the client side (Javascript) by only allowing it to be accessed by http.
  • Most sites are accessed by https, but some sites may also be accessed by http or some of their components may be sent through http. This leaves cookies vulnerable to being accessed over http. A secure flag prevents them from being accessed through http by only allowing them to be transmitted over https. 

To configure FileCloud to always use the httponly and secure flags in HTTP headers:

  1. Open cloudconfig.php.
    • Windows Location : C:\xampp\htdocs\config\cloudconfig.php
    • Linux Location : /var/www/html/config/cloudconfig.php
  2. Add the following:

    define("TONIDOCLOUD_SECURE_COOKIE", 1);
    define("TONIDOCLOUD_HTTPONLY_COOKIE", 1);

Recommended and default settings

The recommended values for the cookie settings are the following:

define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "Strict");
define("TONIDOCLOUD_SECURE_COOKIE", 1);
define("TONIDOCLOUD_HTTPONLY_COOKIE", 1);


However, if you are using FileCloud for Office, you must set the same-site cookie value to None for the feature to function.

define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");



If you are using FileCloud 23.1 or later:

The above recommended settings are the same as your default settings.

If you are using a version of FileCloud prior to 23.1:

Your default settings are:

define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");
define("TONIDOCLOUD_SECURE_COOKIE", 0);
define("TONIDOCLOUD_HTTPONLY_COOKIE", 0);

You may copy the recommended settings, which are stored in cloudconfig-sample.php into cloudconfig.php to override the defaults.

Integration with MS Teams

If you have integrated your system with MS Teams, and login frequently redirects users back to the login page:

  1. Open cloudconfig.php:
    Windows Location: XAMPP DIRECTORY/htdocs/config/cloudconfig.php
    Linux Location: /var/www/config/cloudconfig.php
  2. Add the following settings:

    define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");
    define("TONIDOCLOUD_SECURE_COOKIE", 1);
    define("TONIDOCLOUD_HTTPONLY_COOKIE", 1);