From 4ad0fd86e8dc6dba74305dbb0c88c593b46a19a2 Mon Sep 17 00:00:00 2001 From: freewil Date: Tue, 13 Mar 2012 22:37:42 -0400 Subject: add support for httponly cookies --- application/config/config.php | 2 ++ system/core/Input.php | 13 +++++++++---- system/core/Security.php | 10 +++++++++- system/helpers/cookie_helper.php | 8 +++++--- system/libraries/Session.php | 18 ++++++++++-------- user_guide_src/source/changelog.rst | 2 ++ 6 files changed, 37 insertions(+), 16 deletions(-) diff --git a/application/config/config.php b/application/config/config.php index 4ad9d1d6a..2ffbb6693 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -297,12 +297,14 @@ $config['sess_time_to_update'] = 300; | 'cookie_domain' = Set to .your-domain.com for site-wide cookies | 'cookie_path' = Typically will be a forward slash | 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists. +| 'cookie_httponly' = Cookie will only be accessible via HTTP(S) (no javascript) | */ $config['cookie_prefix'] = ""; $config['cookie_domain'] = ""; $config['cookie_path'] = "/"; $config['cookie_secure'] = FALSE; +$config['cookie_httponly'] = FALSE; /* |-------------------------------------------------------------------------- diff --git a/system/core/Input.php b/system/core/Input.php index 901b4147e..6e6885992 100755 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -228,7 +228,7 @@ class CI_Input { /** * Set cookie * - * Accepts six parameter, or you can submit an associative + * Accepts seven parameters, or you can submit an associative * array in the first parameter containing all the values. * * @param mixed @@ -238,14 +238,15 @@ class CI_Input { * @param string the cookie path * @param string the cookie prefix * @param bool true makes the cookie secure + * @param bool true makes the cookie accessible via http(s) only (no javascript) * @return void */ - public function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE) + public function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE) { if (is_array($name)) { // always leave 'name' in last place, as the loop will break otherwise, due to $$item - foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'name') as $item) + foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item) { if (isset($name[$item])) { @@ -270,6 +271,10 @@ class CI_Input { { $secure = config_item('cookie_secure'); } + if ($httponly == FALSE && config_item('cookie_httponly') != FALSE) + { + $httponly = config_item('cookie_httponly'); + } if ( ! is_numeric($expire)) { @@ -280,7 +285,7 @@ class CI_Input { $expire = ($expire > 0) ? time() + $expire : 0; } - setcookie($prefix.$name, $value, $expire, $path, $domain, $secure); + setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly); } // -------------------------------------------------------------------- diff --git a/system/core/Security.php b/system/core/Security.php index cd8a61028..ac39ce97b 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -196,7 +196,15 @@ class CI_Security { return FALSE; } - setcookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), $secure_cookie); + setcookie( + $this->_csrf_cookie_name, + $this->_csrf_hash, + $expire, + config_item('cookie_path'), + config_item('cookie_domain'), + $secure_cookie, + config_item('cookie_httponly') + ); log_message('debug', 'CRSF cookie Set'); return $this; diff --git a/system/helpers/cookie_helper.php b/system/helpers/cookie_helper.php index 38a2f78fc..ec8aa3250 100644 --- a/system/helpers/cookie_helper.php +++ b/system/helpers/cookie_helper.php @@ -40,7 +40,7 @@ /** * Set cookie * - * Accepts six parameter, or you can submit an associative + * Accepts seven parameters, or you can submit an associative * array in the first parameter containing all the values. * * @param mixed @@ -49,15 +49,17 @@ * @param string the cookie domain. Usually: .yourdomain.com * @param string the cookie path * @param string the cookie prefix + * @param bool true makes the cookie secure + * @param bool true makes the cookie accessible via http(s) only (no javascript) * @return void */ if ( ! function_exists('set_cookie')) { - function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE) + function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE) { // Set the config file options $CI =& get_instance(); - $CI->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure); + $CI->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure, $httponly); } } diff --git a/system/libraries/Session.php b/system/libraries/Session.php index 0b9d45b2a..0c8d46591 100644 --- a/system/libraries/Session.php +++ b/system/libraries/Session.php @@ -48,6 +48,7 @@ class CI_Session { public $cookie_path = ''; public $cookie_domain = ''; public $cookie_secure = FALSE; + public $cookie_httponly = FALSE; public $sess_time_to_update = 300; public $encryption_key = ''; public $flashdata_key = 'flash'; @@ -72,7 +73,7 @@ class CI_Session { // Set all the session preferences, which can either be set // manually via the $params array above or via the config file - foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key) + foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'cookie_httponly', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key) { $this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key); } @@ -666,13 +667,14 @@ class CI_Session { // Set the cookie setcookie( - $this->sess_cookie_name, - $cookie_data, - $expire, - $this->cookie_path, - $this->cookie_domain, - $this->cookie_secure - ); + $this->sess_cookie_name, + $cookie_data, + $expire, + $this->cookie_path, + $this->cookie_domain, + $this->cookie_secure, + $this->cookie_httponly + ); } // -------------------------------------------------------------------- diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index f9e742264..de0eb84c2 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -35,6 +35,8 @@ Release Date: Not Released - Removed previously deprecated SHA1 Library. - Removed previously deprecated use of ``$autoload['core']`` in application/config/autoload.php. Only entries in ``$autoload['libraries']`` are auto-loaded now. + - Added support for HttpOnly cookies with new config option ``cookie_httponly`` (Off by default). + This affects session and CSRF cookies, as well as the behavior of set_cookie() in the Input library and cookie helper. - Helpers -- cgit v1.2.3-24-g4f1b