summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobin Sowell <robin.sowell@ellislab.com>2011-02-11 21:31:27 +0100
committerRobin Sowell <robin.sowell@ellislab.com>2011-02-11 21:31:27 +0100
commitd6d9f454b6939d1e6f1c9687f4e08d89690f79ff (patch)
tree2fdd83293d5bf27308475b44e7d36c652175b1e0
parenta3e6224d8eeddce7b86c8fe122e84c91a570d882 (diff)
Adding config option to require 'secure' setting for all cookies- requires https.
-rw-r--r--application/config/config.php2
-rw-r--r--system/core/Input.php4
-rw-r--r--system/libraries/Session.php4
-rw-r--r--user_guide/changelog.html5
4 files changed, 13 insertions, 2 deletions
diff --git a/application/config/config.php b/application/config/config.php
index 2a084ac22..26b31e309 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -255,11 +255,13 @@ $config['sess_time_to_update'] = 300;
| 'cookie_prefix' = Set a prefix if you need to avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path' = Typically will be a forward slash
+| 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.
|
*/
$config['cookie_prefix'] = "";
$config['cookie_domain'] = "";
$config['cookie_path'] = "/";
+$config['cookie_secure'] = FALSE;
/*
|--------------------------------------------------------------------------
diff --git a/system/core/Input.php b/system/core/Input.php
index 1157601e1..c2db94d64 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -225,8 +225,10 @@ class CI_Input {
$expire = 0;
}
}
+
+ $secure_cookie = (config_item('cookie_secure') === TRUE) ? 1 : 0;
- setcookie($prefix.$name, $value, $expire, $path, $domain, 0);
+ setcookie($prefix.$name, $value, $expire, $path, $domain, $secure_cookie);
}
// --------------------------------------------------------------------
diff --git a/system/libraries/Session.php b/system/libraries/Session.php
index 53ff4f5d3..0b94340d5 100644
--- a/system/libraries/Session.php
+++ b/system/libraries/Session.php
@@ -658,6 +658,8 @@ class CI_Session {
}
$expire = ($this->sess_expire_on_close === TRUE) ? 0 : $this->sess_expiration + time();
+
+ $secure_cookie = (config_item('cookie_secure') === TRUE) ? 1 : 0;
// Set the cookie
setcookie(
@@ -666,7 +668,7 @@ class CI_Session {
$expire,
$this->cookie_path,
$this->cookie_domain,
- 0
+ $secure_cookie
);
}
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 39e6116a6..9f0e22632 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -62,6 +62,11 @@ Change Log
<h3>Bug Fixes for 2.0.1</h3>
<ul>
+ <li>General changes
+ <ul>
+ <li>Added <kbd>$config['cookie_secure']</kbd> to the config file to allow requiring a secure (HTTPS) in order to set cookies.</li>
+ </ul>
+ </li>
<li>Libraries
<ul>
<li>Fixed a bug where the table class would not clear table data after calling generate().</li>