Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming HttpOnly Cookie
HttpOnly Cookie
  • El Forum
    Guest
  •  
#1
09-06-2010, 01:54 PM

[eluser]dazed[/eluser]
Hi Guys,

Another tricky one for you guys.

I have completely built an application using the CodeIgniter session library using the database back end.

My problem is that now the application has gone through security review it has been noted that the ci_session cookie will need HttpOnly flag.

Now in PHP you use the command
Code:
session.cookie_httponly
and I have found OBSession uses
Code:
$config['sess_http_only'] = TRUE;
now is there a way or any suggestions on how to hack the session library for me to be able to add HttpOnly to my Cookie?

Cheers

Dazed
  • El Forum
    Guest
  •  
#2
09-06-2010, 03:42 PM

[eluser]WanWizard[/eluser]
The session cookie is set in the _set_cookie() method of the Session library. Adding 'TRUE' as extra parameter to the set_cookie() call should do the trick.

Note that this is only supported from PHP 5.2+, so if you app needs to be portable, you might want to add a version test.
  • El Forum
    Guest
  •  
#3
09-07-2010, 03:02 AM

[eluser]dazed[/eluser]
Hi WanWizard,

Thanks for your reply. I am currently running PHP ver 5.2.6-1 so that should be able to handle HttpOnly.

I am not sure if I understand your meaning though with adding TRUE as a parameter.

Do you mean _set_cookie(TRUE) or sess_http_only = TRUE somewhere.

Sorry if I am not making my self clear. Guess I am getting close to the edge of my PHP knowledge with this one.
  • El Forum
    Guest
  •  
#4
01-14-2013, 03:14 AM

[eluser]jorisw[/eluser]
It says here:

https://github.com/EllisLab/CodeIgniter/pull/1182

... that HTTP only cookie support was merged into CI 10 months ago. Where is it now? I don't see it in CI 2.1.3.
  • El Forum
    Guest
  •  
#5
04-12-2014, 12:12 AM

[eluser]Gfunk[/eluser]
Why is that I see on Github that the session.php file under system/library of CI has this option for httponly cookies and yet I don't see this under later versions of CI. :gulp:

The url for code seen on Github:
https://github.com/EllisLab/CodeIgniter/...ession.php

Anyway, I will just try to modify the session.php under my application/library to satisfy this concern for now, same goes for the input.php inside the core.

My question now here is that would you update later versions of CI with httponly cookie options for both session and input classes?

Thanks!


  • El Forum
    Guest
  •  
#6
04-12-2014, 05:31 AM

[eluser]InsiteFX[/eluser]
In CI 3.0 Dev they are re-writing the Session class.
  • El Forum
    Guest
  •  
#7
04-12-2014, 05:08 PM

[eluser]Gfunk[/eluser]
This is good to know... I also hope they would include the input->set_cookie() as well in the update.

Thanks you so much for the info!




Theme © iAndrew 2016 - Forum software by © MyBB