From 4ad0fd86e8dc6dba74305dbb0c88c593b46a19a2 Mon Sep 17 00:00:00 2001
From: freewil <sean@eternalrise.com>
Date: Tue, 13 Mar 2012 22:37:42 -0400
Subject: add support for httponly cookies

---
 application/config/config.php       |  2 ++
 system/core/Input.php               | 13 +++++++++----
 system/core/Security.php            | 10 +++++++++-
 system/helpers/cookie_helper.php    |  8 +++++---
 system/libraries/Session.php        | 18 ++++++++++--------
 user_guide_src/source/changelog.rst |  2 ++
 6 files changed, 37 insertions(+), 16 deletions(-)

diff --git a/application/config/config.php b/application/config/config.php
index 4ad9d1d6a..2ffbb6693 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -297,12 +297,14 @@ $config['sess_time_to_update']	= 300;
 | 'cookie_domain' = Set to .your-domain.com for site-wide cookies
 | 'cookie_path'   =  Typically will be a forward slash
 | 'cookie_secure' =  Cookies will only be set if a secure HTTPS connection exists.
+| 'cookie_httponly' = Cookie will only be accessible via HTTP(S) (no javascript) 
 |
 */
 $config['cookie_prefix']	= "";
 $config['cookie_domain']	= "";
 $config['cookie_path']		= "/";
 $config['cookie_secure']	= FALSE;
+$config['cookie_httponly'] 	= FALSE;
 
 /*
 |--------------------------------------------------------------------------
diff --git a/system/core/Input.php b/system/core/Input.php
index 901b4147e..6e6885992 100755
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -228,7 +228,7 @@ class CI_Input {
 	/**
 	* Set cookie
 	*
-	* Accepts six parameter, or you can submit an associative
+	* Accepts seven parameters, or you can submit an associative
 	* array in the first parameter containing all the values.
 	*
 	* @param	mixed
@@ -238,14 +238,15 @@ class CI_Input {
 	* @param	string	the cookie path
 	* @param	string	the cookie prefix
 	* @param	bool	true makes the cookie secure
+	* @param	bool	true makes the cookie accessible via http(s) only (no javascript)
 	* @return	void
 	*/
-	public function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE)
+	public function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE)
 	{
 		if (is_array($name))
 		{
 			// always leave 'name' in last place, as the loop will break otherwise, due to $$item
-			foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'name') as $item)
+			foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item)
 			{
 				if (isset($name[$item]))
 				{
@@ -270,6 +271,10 @@ class CI_Input {
 		{
 			$secure = config_item('cookie_secure');
 		}
+		if ($httponly == FALSE && config_item('cookie_httponly') != FALSE)
+		{
+			$httponly = config_item('cookie_httponly');
+		}
 
 		if ( ! is_numeric($expire))
 		{
@@ -280,7 +285,7 @@ class CI_Input {
 			$expire = ($expire > 0) ? time() + $expire : 0;
 		}
 
-		setcookie($prefix.$name, $value, $expire, $path, $domain, $secure);
+		setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly);
 	}
 
 	// --------------------------------------------------------------------
diff --git a/system/core/Security.php b/system/core/Security.php
index cd8a61028..ac39ce97b 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -196,7 +196,15 @@ class CI_Security {
 			return FALSE;
 		}
 
-		setcookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), $secure_cookie);
+		setcookie(
+			$this->_csrf_cookie_name, 
+			$this->_csrf_hash, 
+			$expire, 
+			config_item('cookie_path'), 
+			config_item('cookie_domain'), 
+			$secure_cookie,
+			config_item('cookie_httponly')
+		);
 		log_message('debug', 'CRSF cookie Set');
 
 		return $this;
diff --git a/system/helpers/cookie_helper.php b/system/helpers/cookie_helper.php
index 38a2f78fc..ec8aa3250 100644
--- a/system/helpers/cookie_helper.php
+++ b/system/helpers/cookie_helper.php
@@ -40,7 +40,7 @@
 /**
  * Set cookie
  *
- * Accepts six parameter, or you can submit an associative
+ * Accepts seven parameters, or you can submit an associative
  * array in the first parameter containing all the values.
  *
  * @param	mixed
@@ -49,15 +49,17 @@
  * @param	string	the cookie domain.  Usually:  .yourdomain.com
  * @param	string	the cookie path
  * @param	string	the cookie prefix
+ * @param	bool	true makes the cookie secure
+ * @param	bool	true makes the cookie accessible via http(s) only (no javascript)
  * @return	void
  */
 if ( ! function_exists('set_cookie'))
 {
-	function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE)
+	function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE)
 	{
 		// Set the config file options
 		$CI =& get_instance();
-		$CI->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure);
+		$CI->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure, $httponly);
 	}
 }
 
diff --git a/system/libraries/Session.php b/system/libraries/Session.php
index 0b9d45b2a..0c8d46591 100644
--- a/system/libraries/Session.php
+++ b/system/libraries/Session.php
@@ -48,6 +48,7 @@ class CI_Session {
 	public $cookie_path			= '';
 	public $cookie_domain			= '';
 	public $cookie_secure			= FALSE;
+	public $cookie_httponly 		= FALSE;
 	public $sess_time_to_update		= 300;
 	public $encryption_key			= '';
 	public $flashdata_key			= 'flash';
@@ -72,7 +73,7 @@ class CI_Session {
 
 		// Set all the session preferences, which can either be set
 		// manually via the $params array above or via the config file
-		foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
+		foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'cookie_httponly', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
 		{
 			$this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key);
 		}
@@ -666,13 +667,14 @@ class CI_Session {
 
 		// Set the cookie
 		setcookie(
-				$this->sess_cookie_name,
-				$cookie_data,
-				$expire,
-				$this->cookie_path,
-				$this->cookie_domain,
-				$this->cookie_secure
-			);
+			$this->sess_cookie_name,
+			$cookie_data,
+			$expire,
+			$this->cookie_path,
+			$this->cookie_domain,
+			$this->cookie_secure,
+			$this->cookie_httponly
+		);
 	}
 
 	// --------------------------------------------------------------------
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index f9e742264..de0eb84c2 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -35,6 +35,8 @@ Release Date: Not Released
    -  Removed previously deprecated SHA1 Library.
    -  Removed previously deprecated use of ``$autoload['core']`` in application/config/autoload.php.
       Only entries in ``$autoload['libraries']`` are auto-loaded now.
+   -  Added support for HttpOnly cookies with new config option ``cookie_httponly`` (Off by default).
+      This affects session and CSRF cookies, as well as the behavior of set_cookie() in the Input library and cookie helper.
 
 -  Helpers
 
-- 
cgit v1.2.3-24-g4f1b