setting cookies with HTTPOnly flags in codeigniter
Luckily you can view the source code for Session.php on GitHub
In function _set_cookie
you will see:
// Set the cookiesetcookie( $this->sess_cookie_name, $cookie_data, $expire, $this->cookie_path, $this->cookie_domain, $this->cookie_secure, $this->cookie_httponly);
The value for $this->cookie_httponly
is assigned in __construct
and the default is FALSE but you can set it to TRUE through config.php
as follows:
$config['cookie_httponly'] = TRUE;
This will enable your cookies within the framework to be HTTPOnly.
I found that their is a drwaback in session mgmt of codeigniter because
-
2.1.3 version their is no cookie_httponly flag.
Solution:
Step 1 :You need to create own My_session.php in library and extend system session file or modify Session.php (in system->library->Session.php file)
Step 2: find _set_cookie($cookie_data = NULL) function, goto setcookie() and modify assetcookie( $this->sess_cookie_name, $cookie_data, $expire,
$this->cookie_path, $this->cookie_domain, $this->cookie_secure, TRUE); // add True flag.Even though if you are adding "TRUE" and if test with OWASP ZAP tool,
some time it ll give you CSRF issues
ie: HTTPONLY is not true,
Secure flag is not enable.
Reason: Since while sess_destroy they are setting the HTTPONLY and Secure flag to none.
Solution: Update sess_destroy function in Session.php as
// Kill the cookie `setcookie( $this->sess_cookie_name, addslashes(serialize(array())), ($this->now - 31500000), $this->cookie_path, $this->cookie_domain, TRUE, TRUE );`
Since these issues gave me sleepless nights so I hope this will help you as well. :)
2.1.3 does not contain cookie_httponly in the foreach so it won't set it.
foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
also it doesn't set here...
setcookie( $this->sess_cookie_name, $cookie_data, $expire, $this->cookie_path, $this->cookie_domain, $this->cookie_secure );