add support for httponly cookies
diff --git a/application/config/config.php b/application/config/config.php
index 4ad9d1d..2ffbb66 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -297,12 +297,14 @@
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path' = Typically will be a forward slash
| 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.
+| 'cookie_httponly' = Cookie will only be accessible via HTTP(S) (no javascript)
|
*/
$config['cookie_prefix'] = "";
$config['cookie_domain'] = "";
$config['cookie_path'] = "/";
$config['cookie_secure'] = FALSE;
+$config['cookie_httponly'] = FALSE;
/*
|--------------------------------------------------------------------------
diff --git a/system/core/Input.php b/system/core/Input.php
index 901b414..6e68859 100755
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -228,7 +228,7 @@
/**
* Set cookie
*
- * Accepts six parameter, or you can submit an associative
+ * Accepts seven parameters, or you can submit an associative
* array in the first parameter containing all the values.
*
* @param mixed
@@ -238,14 +238,15 @@
* @param string the cookie path
* @param string the cookie prefix
* @param bool true makes the cookie secure
+ * @param bool true makes the cookie accessible via http(s) only (no javascript)
* @return void
*/
- public function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE)
+ public function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE)
{
if (is_array($name))
{
// always leave 'name' in last place, as the loop will break otherwise, due to $$item
- foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'name') as $item)
+ foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item)
{
if (isset($name[$item]))
{
@@ -270,6 +271,10 @@
{
$secure = config_item('cookie_secure');
}
+ if ($httponly == FALSE && config_item('cookie_httponly') != FALSE)
+ {
+ $httponly = config_item('cookie_httponly');
+ }
if ( ! is_numeric($expire))
{
@@ -280,7 +285,7 @@
$expire = ($expire > 0) ? time() + $expire : 0;
}
- setcookie($prefix.$name, $value, $expire, $path, $domain, $secure);
+ setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly);
}
// --------------------------------------------------------------------
diff --git a/system/core/Security.php b/system/core/Security.php
index cd8a610..ac39ce9 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -196,7 +196,15 @@
return FALSE;
}
- setcookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), $secure_cookie);
+ setcookie(
+ $this->_csrf_cookie_name,
+ $this->_csrf_hash,
+ $expire,
+ config_item('cookie_path'),
+ config_item('cookie_domain'),
+ $secure_cookie,
+ config_item('cookie_httponly')
+ );
log_message('debug', 'CRSF cookie Set');
return $this;
diff --git a/system/helpers/cookie_helper.php b/system/helpers/cookie_helper.php
index 38a2f78..ec8aa32 100644
--- a/system/helpers/cookie_helper.php
+++ b/system/helpers/cookie_helper.php
@@ -40,7 +40,7 @@
/**
* Set cookie
*
- * Accepts six parameter, or you can submit an associative
+ * Accepts seven parameters, or you can submit an associative
* array in the first parameter containing all the values.
*
* @param mixed
@@ -49,15 +49,17 @@
* @param string the cookie domain. Usually: .yourdomain.com
* @param string the cookie path
* @param string the cookie prefix
+ * @param bool true makes the cookie secure
+ * @param bool true makes the cookie accessible via http(s) only (no javascript)
* @return void
*/
if ( ! function_exists('set_cookie'))
{
- function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE)
+ function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE)
{
// Set the config file options
$CI =& get_instance();
- $CI->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure);
+ $CI->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure, $httponly);
}
}
diff --git a/system/libraries/Session.php b/system/libraries/Session.php
index 0b9d45b..0c8d465 100644
--- a/system/libraries/Session.php
+++ b/system/libraries/Session.php
@@ -48,6 +48,7 @@
public $cookie_path = '';
public $cookie_domain = '';
public $cookie_secure = FALSE;
+ public $cookie_httponly = FALSE;
public $sess_time_to_update = 300;
public $encryption_key = '';
public $flashdata_key = 'flash';
@@ -72,7 +73,7 @@
// Set all the session preferences, which can either be set
// manually via the $params array above or via the config file
- foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
+ foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'cookie_httponly', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
{
$this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key);
}
@@ -666,13 +667,14 @@
// Set the cookie
setcookie(
- $this->sess_cookie_name,
- $cookie_data,
- $expire,
- $this->cookie_path,
- $this->cookie_domain,
- $this->cookie_secure
- );
+ $this->sess_cookie_name,
+ $cookie_data,
+ $expire,
+ $this->cookie_path,
+ $this->cookie_domain,
+ $this->cookie_secure,
+ $this->cookie_httponly
+ );
}
// --------------------------------------------------------------------
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index f9e7422..de0eb84 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -35,6 +35,8 @@
- Removed previously deprecated SHA1 Library.
- Removed previously deprecated use of ``$autoload['core']`` in application/config/autoload.php.
Only entries in ``$autoload['libraries']`` are auto-loaded now.
+ - Added support for HttpOnly cookies with new config option ``cookie_httponly`` (Off by default).
+ This affects session and CSRF cookies, as well as the behavior of set_cookie() in the Input library and cookie helper.
- Helpers