I'd like to know how to set cookies as HTTPOnly in Codeigniter. I reviewed the documentation and didn't see how to set this flag.
I was also looking to set the secure flag for cookies and found it in the config.php file:
$config['cookie_secure'] = TRUE;
But there wasn't an HTTPOnly option in config.php.
How do I set all cookies to HTTPOnly? And if it's done in the framework, it would be helpful to know where that code is for my own learning (and what the default is).
Set HttpOnly cookie in PHPini_set("session. cookie_httponly", True); This is the most common way to set cookies in PHP, empty variables will hold their default value.
An HttpOnly cookie cannot be accessed by client-side APIs, such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS). If the browser allowed you to access it then it would be a defect in the browser.
Luckily you can view the source code for Session.php on GitHub
In function _set_cookie
you will see:
// Set the cookie
setcookie(
$this->sess_cookie_name,
$cookie_data,
$expire,
$this->cookie_path,
$this->cookie_domain,
$this->cookie_secure,
$this->cookie_httponly
);
The value for $this->cookie_httponly
is assigned in __construct
and the default is FALSE but you can set it to TRUE through config.php
as follows:
$config['cookie_httponly'] = TRUE;
This will enable your cookies within the framework to be HTTPOnly.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With