CI Sessions -- Additional Cookie Options

[eluser]Unknown[/eluser]
The Problem:
I am using TankAuth for user authentication. TankAuth uses CI session class, which uses cookies rather than true php sessions.

This didn't really cause me a lot of problems, but there was a random sampling of users who were unable to login. They would enter their credentials correctly (no form errors), but for some reason the cookie was never set. It didn't matter what browser they used, it would always fail. Well I discovered that the problem lies with their security software (such as Norton Internet Security) which was destroying the cookie after it was set.


The Solution:
PHP's function setcookie has an additional parameter $httponly that was added in 5.2.0. I know that CI has legacy concerns that it must consider, but adding this option to the config and the session library and cookie helper has solved my problem. So if you're using CI native session class for authentication and have trouble with people not being able to login, then I can pass along my code to you. It's currently for CI version 1.7.2 but I'll be updating it to CI 2.0 when the final version is released.



Anyway, I love CodeIgniter! Has anyone else experienced issues with user not having cookies set? This was just the solution I found that fixed my current problem. I'm definitely not an expert on any of this stuff so I'd love to hear your opinion. Thanks!


References:
http://www.owasp.org/index.php/HttpOnly
PHP setcookie() Function