HttpOnly cookie in CodeIgniter |
Hi Guys,
I have developed an application using CodeIgniter 2.1.3. The application has gone to security review and it has been reported that the ci_session cookie will need HttpOnly flag. I have seen the session.php file in system/libraries and it has a function called _set_cookie. I would like to know if any modification in this file is needed or there is some other way. Best regards,
A security audit would also tell you that you must upgrade to CI3, at which point this won't be an issue.
Upgrading to CI3 is not an option. I have to resolve it with CI 2.1.3 only. Please help
Best regards,
Seriusly? You are developer and u can't write in google 'php how to set http_only cookie'?
In system/library/Session.php:688 add comma at end, and in next line type 'true' (as bollean ofc) If in that place isn't any variable how you wanna put there something? (06-09-2017, 02:53 AM)NickOver Wrote: Seriusly? You are developer and u can't write in google 'php how to set http_only cookie'? Dont act too smart Nick I have searched google and found that httponly cookie is not implemented in CI 2.1.3 and only after that I have posted in this forum. We can see in session.php itself that cookie_httponly is not set Code: foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key) Common sense should prevail. (06-09-2017, 02:07 AM)june123 Wrote: Upgrading to CI3 is not an option. I have to resolve it with CI 2.1.3 only. Please help Then you'll never be secure. You might as well say "Improving our security is not an option". If you're running CI2, lack of an httpOnly flag on a cookies is the least of your problems.
New users to the forums should read the Forum Rules!
What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
(06-09-2017, 03:29 AM)june123 Wrote:(06-09-2017, 02:53 AM)NickOver Wrote: Seriusly? You are developer and u can't write in google 'php how to set http_only cookie'? Step by Step doc how to use cookie_httponly https://www.codeigniter.com/user_guide/i...e_214.html https://www.codeigniter.com/user_guide/i...e_220.html https://www.codeigniter.com/user_guide/i...e_300.html https://www.codeigniter.com/user_guide/i...e_310.html https://www.codeigniter.com/user_guide/i...e_311.html https://www.codeigniter.com/user_guide/i...e_312.html https://www.codeigniter.com/user_guide/i...e_313.html https://www.codeigniter.com/user_guide/i...e_314.html or you change this line (bad way): https://github.com/bcit-ci/CodeIgniter/b...n.php#L668 if you care about security update you code. 5 year old codeigniter code is not secure. |
Welcome Guest, Not a member yet? Register Sign In |