Login

june123 · 06-09-2017, 12:57 AM

Hi Guys,

I have developed an application using CodeIgniter 2.1.3.

The application has gone to security review and it has been reported that the ci_session cookie will need HttpOnly flag.

I have seen the session.php file in system/libraries and it has a function called _set_cookie.

I would like to know if any modification in this file is needed or there is some other way.

Best regards,

***Narf*** · 06-09-2017, 01:51 AM

A security audit would also tell you that you must upgrade to CI3, at which point this won't be an issue.

june123 · 06-09-2017, 02:07 AM

Upgrading to CI3 is not an option. I have to resolve it with CI 2.1.3 only. Please help

Best regards,

NickOver · 06-09-2017, 02:53 AM

Seriusly? You are developer and u can't write in google 'php how to set http_only cookie'?
In system/library/Session.php:688 add comma at end, and in next line type 'true' (as bollean ofc)
If in that place isn't any variable how you wanna put there something?

kris · 06-09-2017, 02:58 AM

when we ask a question on a forum the hardes insult is ... look at google

june123 · 06-09-2017, 03:29 AM

(06-09-2017, 02:53 AM)NickOver Wrote: Seriusly? You are developer and u can't write in google 'php how to set http_only cookie'?
In system/library/Session.php:688 add comma at end, and in next line type 'true' (as bollean ofc)
If in that place isn't any variable how you wanna put there something?

Dont act too smart Nick
I have searched google and found that httponly cookie is not implemented in CI 2.1.3 and only after that I have posted in this forum. We can see in session.php itself that cookie_httponly is not set

Code:
foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)

Common sense should prevail.

***Narf*** · 06-09-2017, 03:44 AM

(06-09-2017, 02:07 AM)june123 Wrote: Upgrading to CI3 is not an option. I have to resolve it with CI 2.1.3 only. Please help

Best regards,

Then you'll never be secure. You might as well say "Improving our security is not an option".

If you're running CI2, lack of an httpOnly flag on a cookies is the least of your problems.

**InsiteFX** · 06-09-2017, 04:18 AM

New users to the forums should read the Forum Rules!

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )

Paradinight · 06-09-2017, 09:47 AM

(06-09-2017, 03:29 AM)june123 Wrote:
(06-09-2017, 02:53 AM)NickOver Wrote: Seriusly? You are developer and u can't write in google 'php how to set http_only cookie'?
In system/library/Session.php:688 add comma at end, and in next line type 'true' (as bollean ofc)
If in that place isn't any variable how you wanna put there something?

Dont act too smart Nick
I have searched google and found that httponly cookie is not implemented in CI 2.1.3 and only after that I have posted in this forum. We can see in session.php itself that cookie_httponly is not set

Code:
foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)

Common sense should prevail.