setting cookies with HTTPOnly flags in codeigniter

Luckily you can view the source code for Session.php on GitHub

In function _set_cookie you will see:

// Set the cookiesetcookie(    $this->sess_cookie_name,    $cookie_data,    $expire,    $this->cookie_path,    $this->cookie_domain,    $this->cookie_secure,    $this->cookie_httponly);

The value for $this->cookie_httponly is assigned in __construct and the default is FALSE but you can set it to TRUE through config.php as follows:

$config['cookie_httponly'] = TRUE;

This will enable your cookies within the framework to be HTTPOnly.

I found that their is a drwaback in session mgmt of codeigniter because

-

1. 2.1.3 version their is no cookie_httponly flag.
   Solution:
   Step 1 :You need to create own My_session.php in library and extend system session file or modify Session.php (in system->library->Session.php file)
   Step 2: find _set_cookie($cookie_data = NULL) function, goto setcookie() and modify as
   
   setcookie( $this->sess_cookie_name, $cookie_data, $expire,
$this->cookie_path, $this->cookie_domain, $this->cookie_secure, TRUE); // add True flag.

2. Even though if you are adding "TRUE" and if test with OWASP ZAP tool,
   some time it ll give you CSRF issues
   ie: HTTPONLY is not true,
   Secure flag is not enable.
   
   Reason: Since while sess_destroy they are setting the HTTPONLY and Secure flag to none.
   Solution: Update sess_destroy function in Session.php as
   

    // Kill the cookie `setcookie(          $this->sess_cookie_name,         addslashes(serialize(array())),         ($this->now - 31500000),         $this->cookie_path,         $this->cookie_domain,         TRUE,         TRUE      );`

Since these issues gave me sleepless nights so I hope this will help you as well. :)

2.1.3 does not contain cookie_httponly in the foreach so it won't set it.

foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)

also it doesn't set here...

    setcookie(                $this->sess_cookie_name,                $cookie_data,                $expire,                $this->cookie_path,                $this->cookie_domain,                $this->cookie_secure            );