Support for HttpOnly parameter to setcookie

Archives Yii 1.0.x Discussions
1

Hi Qiang,

I think it would be really useful to include support for the HttpOnly parameter in setcookie, which is available if PHP version > 5.2. This is where the change could be done:



	protected function addCookie($cookie, $httponly=null)


	{


		$value=$cookie->value;


		if($this->_request->enableCookieValidation)


			$value=Yii::app()->getSecurityManager()->hashData($value);


      if ($httponly!==null && version_compare('5.2.0',PHP_VERSION,'>='))


         setcookie($cookie->name,$value,$cookie->expire,$cookie->path,$cookie->domain,$cookie->secure, $httponly===true?true:false);


      else


         setcookie($cookie->name,$value,$cookie->expire,$cookie->path,$cookie->domain,$cookie->secure);


	}

This is to mitigate the risk of XSS attacks.

References:

https://www.owasp.or…ex.php/HTTPOnly

http://msdn.microsof…y/ms533046.aspx

http://www.theregist…yahoo_xss_vuln/

2

better…

	protected function addCookie($cookie)


	{


		$value=$cookie->value;


		if($this->_request->enableCookieValidation)


			$value=Yii::app()->getSecurityManager()->hashData($value);


      if ($cookie->httponly!==null && version_compare('5.2.0',PHP_VERSION,'>='))


         setcookie($cookie->name,$value,$cookie->expire,$cookie->path,$cookie->domain,$cookie->secure, $cookie->httponly===true?true:false);


      else


         setcookie($cookie->name,$value,$cookie->expire,$cookie->path,$cookie->domain,$cookie->secure);


	}
3

Feature requested here