setting cookies with HTTPOnly flags in codeigniter

codeigniter cookies codeigniter-2 xss

chowwy · May 9, 2012 · Viewed 15.3k times · Source

I'd like to know how to set cookies as HTTPOnly in Codeigniter. I reviewed the documentation and didn't see how to set this flag.

I was also looking to set the secure flag for cookies and found it in the config.php file:

$config['cookie_secure'] = TRUE;

But there wasn't an HTTPOnly option in config.php.

How do I set all cookies to HTTPOnly? And if it's done in the framework, it would be helpful to know where that code is for my own learning (and what the default is).

Answer

Luckily you can view the source code for Session.php on GitHub

In function _set_cookie you will see:

// Set the cookie
setcookie(
    $this->sess_cookie_name,
    $cookie_data,
    $expire,
    $this->cookie_path,
    $this->cookie_domain,
    $this->cookie_secure,
    $this->cookie_httponly
);

The value for $this->cookie_httponly is assigned in __construct and the default is FALSE but you can set it to TRUE through config.php as follows:

$config['cookie_httponly'] = TRUE;

This will enable your cookies within the framework to be HTTPOnly.

setting cookies with HTTPOnly flags in codeigniter

Answer

Related questions